Method and system for key distribution and exchange for data processing accelerators

ABSTRACT

A system is disclosed that receives, at a host system from a data processing (DP) accelerator, an accelerator identifier (ID) that uniquely identifies the DP accelerator, wherein the host system is coupled to the DP accelerator over a bus. The system transmits the accelerator ID to a predetermined trusted server over a network. The system receives a certificate from the predetermined trusted server over the network, the certificate certifying the DP accelerator. The system extracts a public root key (PK_RK) from the certificate for verification, the PK_RK corresponding to a private root key (SK_RK) associated with the DP accelerator. The system establishes a secure channel with the DP accelerator using the PK_RK based on the verification to exchange data securely between the host system and the DP accelerator.

CROSS-REFERENCE TO RELATED APPLICATION

This patent application is a U.S. National Phase Application under 35U.S.C. § 371 of International Application No. PCT/CN2019/070399, filedJan. 4, 2019, entitled “METHOD AND SYSTEM FOR KEY DISTRIBUTION ANDEXCHANGE FOR DATA PROCESSING ACCELERATORS,” which is incorporated byreference herein by its entirety.

TECHNICAL FIELD

Embodiments of the invention relate generally to searching content. Moreparticularly, embodiments of the invention relate to methods and systemsfor key distribution and exchange for data processing (DP) accelerators.

BACKGROUND

Sensitive transactions are increasingly being performed by dataprocessing (DP) accelerators such as artificial intelligence (AI)accelerators or co-processors. This has increased the need for securingcommunication channels for DP accelerators and securing an environmentof a host system to protect the host system from unauthorized accesses.

For example, AI training data, models, and inference outputs may not beprotected and thus would be leaked to untrusted parties. Thus, there isa need for a system to protect data processed by data processingaccelerators.

SUMMARY

In a first aspect, the present disclosure provides acomputer-implemented method for key distribution of a data processingaccelerator, the method comprising: receiving, at a host system from adata processing (DP) accelerator, an accelerator identifier (ID) thatuniquely identifies the DP accelerator, wherein the host system iscoupled to the DP accelerator over a bus; transmitting the acceleratorID to a predetermined trusted server over a network; receiving acertificate from the predetermined trusted server over the network, thecertificate certifying the DP accelerator; extracting a public root key(PK_RK) from the certificate for verification, the PK_RK correspondingto a private root key (SK_RK) associated with the DP accelerator; andestablishing a secure channel with the DP accelerator using the PK_RKbased on the verification to exchange data securely between the hostsystem and the DP accelerator.

In a second aspect, the present disclosure provides a non-transitorymachine-readable medium having instructions stored therein, which whenexecuted by a processor, cause the processor to perform operations, theoperations comprising: receiving, at a host system from a dataprocessing (DP) accelerator, an accelerator identifier (ID) thatuniquely identifies the DP accelerator, wherein the host system iscoupled to the DP accelerator over a bus; transmitting the acceleratorID to a predetermined trusted server over a network; receiving acertificate from the predetermined trusted server over the network, thecertificate certifying the DP accelerator; extracting a public root key(PK_RK) from the certificate for verification, the PK_RK correspondingto a private root key (SK_RK) associated with the DP accelerator; andestablishing a secure channel with the DP accelerator using the PK_RKbased on the verification to exchange data securely between the hostsystem and the DP accelerator.

In a third aspect, the present disclosure provides a host system,comprising: a processor; and a memory storing instructions, which whenexecuted by the processor, cause the processor to perform operations,the operations including: receiving, at a host system from a dataprocessing (DP) accelerator, an accelerator identifier (ID) thatuniquely identifies the DP accelerator, wherein the host system iscoupled to the DP accelerator over a bus; transmitting the acceleratorID to a predetermined trusted server over a network; receiving acertificate from the predetermined trusted server over the network, thecertificate certifying the DP accelerator; extracting a public root key(PK_RK) from the certificate for verification, the PK_RK correspondingto a private root key (SK_RK) associated with the DP accelerator; andestablishing a secure channel with the DP accelerator using the PK_RKbased on the verification to exchange data securely between the hostsystem and the DP accelerator.

BRIEF DESCRIPTION OF THE DRAWINGS

Embodiments of the invention are illustrated by way of example and notlimitation in the figures of the accompanying drawings in which likereferences indicate similar elements.

FIG. 1 is a block diagram illustrating an example of systemconfiguration for securing communication between a host and data process(DP) accelerators according to some embodiments.

FIG. 2 is a block diagram illustrating an example of a multi-layerprotection solution for securing communications between a host and dataprocess (DP) accelerators according to some embodiments.

FIG. 3 is a flow diagram illustrating an example of a method accordingto one embodiment.

FIG. 4 is a block diagram illustrating an example of a host having anI/O manager according to one embodiment.

FIG. 5 is a block diagram illustrating an example of an I/O manager incommunication with DP accelerators according to some embodiments.

FIG. 6 is a block diagram illustrating regions of memory allocated to anumber of DP accelerators according to one embodiment.

FIG. 7 is a block diagram illustrating an example communication betweena host and a DP accelerator according to one embodiment.

FIGS. 8A and 8B are flow diagrams illustrating example methods accordingto some embodiments.

FIG. 9 is a block diagram illustrating an example of a host having ahost channel manager (HCM) according to one embodiment.

FIG. 10 is a block diagram illustrating an example of a host channelmanager (HCM) communicatively coupled to one or more accelerator channelmanagers (ACMs) according to some embodiments.

FIG. 11 is a block diagram illustrating user application to channelmappings using channel/session keys according to one embodiment.

FIGS. 12A-12B are block diagrams illustrating an example of a secureinformation exchange between a host and a DP accelerator according toone embodiment.

FIGS. 13A and 13B are flow diagrams illustrating example methodsaccording to some embodiments.

FIG. 14 is a block diagram illustrating an example system forestablishing a secure information exchange channel between a hostchannel manager (HCM) and an accelerator channel manager (ACM) accordingto one embodiment.

FIG. 15 is a block diagram illustrating an example information exchangeto derive a session key between a host and a DP accelerator according toone embodiment.

FIGS. 16A and 16B are flow diagrams illustrating example methodsaccording to some embodiments.

FIG. 17 is a block diagram illustrating an example of a host having asecure memory manager (MM) to secure memory buffers of DP acceleratorsaccording to one embodiment.

FIG. 18 is a block diagram illustrating an example of a memory manager(MM) according to some embodiments.

FIG. 19 is a flow diagram illustrating an example of a method accordingto one embodiment.

FIG. 20 is a block diagram illustrating an example of a host servercommunicatively coupled to a DP accelerator according to one embodiment.

FIG. 21 is a block diagram illustrating an example of a time unitaccording to one embodiment.

FIG. 22 is a block diagram illustrating an example of a security unitaccording to one embodiment.

FIG. 23 is a block diagram illustrating an example of a host servercommunicatively coupled to a DP accelerator to validate kernel objectsaccording to one embodiment.

FIG. 24 is a flow chart illustrating an example kernel objectsverification protocol according to one embodiment.

FIG. 25 is a flow diagram illustrating an example of a method accordingto one embodiment.

FIG. 26 is a block diagram illustrating an example of a host servercommunicatively coupled to a DP accelerator for kernels attestationaccording to one embodiment.

FIG. 27 is a flow chart illustrating an example attestation protocolaccording to one embodiment.

FIGS. 28A and 28B are flow diagrams illustrating example methodsaccording to some embodiments.

FIG. 29 is a block diagram illustrating an example of a host servercommunicatively coupled to trusted server and a DP accelerator accordingto one embodiment.

FIG. 30 is a flow chart illustrating an example DP acceleratorvalidation protocol according to one embodiment.

FIG. 31 is a flow diagram illustrating an example of a method accordingto one embodiment.

FIG. 32 is a block diagram illustrating a data processing systemaccording to one embodiment.

DETAILED DESCRIPTION

Various embodiments and aspects of the invention will be described withreference to details discussed below, and the accompanying drawings willillustrate the various embodiments. The following description anddrawings are illustrative of the invention and are not to be construedas limiting the invention. Numerous specific details are described toprovide a thorough understanding of various embodiments of the presentinvention. However, in certain instances, well-known or conventionaldetails are not described in order to provide a concise discussion ofembodiments of the present inventions.

Reference in the specification to “one embodiment” or “an embodiment”means that a particular feature, structure, or characteristic describedin conjunction with the embodiment can be included in at least oneembodiment of the invention. The appearances of the phrase “in oneembodiment” in various places in the specification do not necessarilyall refer to the same embodiment.

According to a first aspect of the disclosure, a data processing systemperforms a secure boot using a security module (e.g., trusted platformmodule (TPM)) of a host system. The system verifies that an operatingsystem (OS) and one or more drivers including an accelerator driverassociated with a data processing (DP) accelerator are provided by atrusted source. The system launches the accelerator driver within theOS. The system establishes a trusted execution environment (TEE)associated with one or more processors of the host system. The systemlaunches an application and a runtime library within the TEE, where theapplication communicates with the DP accelerator via the runtime libraryand the accelerator driver.

According to a second aspect, a system establishes a secure connection(having one or more secure channels) between a host system and a dataprocessing (DP) accelerator over a bus, the secure connection includingone or more command channels and/or data channels. In one embodiment,the one or more command channels may be unsecured. The system transmitsa first instruction from the host system to the DP accelerator over acommand channel, the first instruction requesting the DP accelerator toperform a data preparation operation. The system receives a firstrequest to read first data from a first memory location of the hostsystem from the DP accelerator over a data channel, in response to thefirst instruction. In response to the request, the system transmits thefirst data retrieved from the first memory location of the host systemto the DP accelerator over the data channel, where the first data isutilized for a computing or a configuration operation. The systemtransmits a second instruction from the host system to the DPaccelerator over the command channel, the second instruction requestingthe DP accelerator to perform the computing or the configurationoperation.

In one embodiment, a system establishes a secure connection between ahost system and a data processing (DP) accelerator over a bus, thesecure connection including one or more command channels and/or datachannels. The command channel(s) may be unsecured. The system receives,at the DP accelerator, a first instruction from the host system over acommand channel, the first instruction requesting the DP accelerator toperform a data preparation operation. In response to the firstinstruction, the system transmits a first request from the DPaccelerator to the host system over a data channel to read first datafrom a first memory location of the host system. The system receives thefirst data from the host system over the data channel, where the firstdata was retrieved by the host system from the first memory location ofthe host system. The system receives a second instruction from the hostsystem over the command channel, the second instruction requesting theDP accelerator to perform a computing or a configuration operation. Thesystem performs the computing or the configuration operation based on atleast the first data.

According to a third aspect, a system receives, at a host channelmanager (HCM) of a host system, a request from an application toestablish a secure channel with a data processing (DP) accelerator,where the DP accelerator is coupled to the host system over a bus. Inresponse to the request, the system generates a first session key forthe secure channel based on a first private key of a first key pairassociated with the HCM and a second public key of a second key pairassociated with the DP accelerator. In response to a first dataassociated with the application to be sent to the DP accelerator, thesystem encrypts the first data using the first session key. The systemthen transmits the encrypted first data to the DP accelerator via thesecure channel over the bus.

In one embodiment, a system receive, at an accelerator channel manager(ACM) of a data processing (DP) accelerator, a request from anapplication of a host channel manager (HCM) of a host system toestablish a secure channel between the host system and the DPaccelerator, where the DP accelerator is coupled to the host system overa bus. In response to the request, the system generates a second sessionkey for the secure channel and encrypts the second session key based ona second private key of a second key pair associated with the DPaccelerator and a first public key of a first key pair associated withthe HCM before sending the encrypted second session key to the HCM. Inresponse to a first data to be sent to the host system, the systemencrypts the first data using the second session key. The system thentransmits the encrypted first data to the HCM of the host system via thesecure channel.

According to a fourth aspect, in response to receiving a temporarypublic key (PK_d) from a data processing (DP) accelerator, a systemgenerates a first nonce (nc) at the host system, where the DPaccelerator is coupled to the host system over a bus. The systemtransmits a request to create a session key from the host system to theDP accelerator, the request including a host public key (PK_O) and thefirst nonce. The system receives a second nonce (ns) from the DPaccelerator, where the second nonce is encrypted using the host publickey and a temporary private key (SK_d) corresponding to the temporarypublic key. The system generates a first session key based on the firstnonce and the second nonce, which is utilized to encrypt or decryptsubsequent data exchanges between the host system and the DPaccelerator.

In one embodiment, in response to a request received from a host system,a system generates, at a data processing (DP) accelerator, a temporaryprivate key and a temporary public key, where the DP accelerator iscoupled to the host system over a bus. The system encrypts the temporarypublic key using an accelerator private root key associated with the DPaccelerator. The system transmits the temporary public key in anunencrypted form and the encrypted temporary public key to the hostsystem to allow the host system to verify the temporary public key. Thesystem receives a first nonce from the host system, where the firstnonce was generated by the host system after the temporary public keyhas been verified. The system generates a session key based on the firstnonce and a second nonce, where the second nonce has been generatedlocally at the DP accelerator.

According to a fifth aspect, a system performs a secure boot using asecurity module (e.g., trusted platform module (TPM)) of a host system.The system establishes a trusted execution environment (TEE) associatedwith one or more processors of the host system. The system launches amemory manager within the TEE, where the memory manager is configured tomanage memory resources of a data processing (DP) accelerator coupled tothe host system over a bus, including maintaining memory usageinformation of global memory of the DP accelerator. In response to arequest received from an application running within the TEE foraccessing a memory location of the DP accelerator, the system allows ordenies the request based on the memory usage information.

According to a sixth aspect, a DP accelerator includes one or moreexecution units (EUs) configured to perform data processing operationsin response to an instruction received from a host system coupled over abus. The DP accelerator includes a security unit (SU) configured toestablish and maintain a secure channel with the host system to exchangecommands and data associated with the data processing operations. The DPaccelerator includes a time unit (TU) coupled to the security unit toprovide timestamp services to the security unit, where the time unitincludes a clock generator to generate clock signals locally withouthaving to derive the clock signals from an external source. The TUincludes a timestamp generator coupled to the clock generator togenerate a timestamp based on the clock signals, and a power supply toprovide power to the clock generator and the timestamp generator.

In one embodiment, the TU further includes a counter coupled to theclock generator to count a count value based on the clock signalsgenerated from the clock generator and a persistent storage to store thecount value, where the count value is utilized by the timestampgenerator to generate the timestamp. In another embodiment, the counteris to increment the count value in response to each of the clocksignals, and where the persistent storage includes a 32-bit variable.However, the persistent storage can include variables of any size suchas 8-bit, 16-bit, 64-bit, etc.

In one embodiment, the time unit further includes a local oscillatorcoupled to the clock generator to provide precise pulse signals. In oneembodiment, the power supply comprises a battery to provide the powerwithout having to draw power from an external power source. In oneembodiment, the clock signals are generated without having tocommunicate with an external clock source. In one embodiment, the timeunit further includes a clock calibrator configured to calibrate theclock generator.

In one embodiment, the timestamp is utilized by the security unit totime stamp a session key for encrypting the exchanged data between theDP accelerator and the host system. In another embodiment, the timestampis utilized to time stamp an information exchange for the DPaccelerator, and the timestamp can be used to determine a freshness ofthe information exchange. In another embodiment, the timestamp of thesession key is utilized to determine whether the session key hasexpired.

According to a seventh aspect, a DP accelerator includes one or moreexecution units (EUs) configured to perform data processing operationsin response to an instruction received from a host system coupled over abus. The DP accelerator includes a time unit (TU) coupled to thesecurity unit to provide timestamp services. The DP accelerator includesa security unit (SU) configured to establish and maintain a securechannel with the host system to exchange commands and data associatedwith the data processing operations, where the security unit includes asecure storage area to store a private root key associated with the DPaccelerator, where the private root key is utilized for authentication.The SU includes a random number generator to generate a random number,and a cryptographic engine to perform cryptographic operations on dataexchanged with the host system over the bus using a session key derivedbased on the random number.

In one embodiment, the private root key is preconfigured and stored inthe secure storage area during manufacturing of the DP accelerator. Inone embodiment, the security unit is to receive a request from the hostsystem to establish a secure connection with the DP accelerator and inresponse to the request, generate the session key based on the randomnumber generated by the random number generator, where the session keyis utilized to encrypt or decrypt the data exchanged with the hostsystem over the secure connection.

In another embodiment, the random number generator is to generate therandom number based on a seed value. In another embodiment, thetimestamp is further to determine whether the session key has expired,in which a new session key is to be generated.

In another embodiment, in generating the session key based on the randomnumber, the security unit is to generate a temporary key pair having atemporary private key and a temporary public key, transmit the temporarypublic key and a signed temporary public key to the host, where thesigned temporary public key is signed by the private root key to allowthe host system authenticate the DP accelerator, receive a first noncefrom the host system, and generate a first session key based on thefirst nonce and a second nonce generated locally at the DP accelerator.In another embodiment, the security unit is further configured totransmit the first nonce and the second nonce signed by the private rootkey (e.g., of the DP accelerator) and encrypted by a public keyassociated with the host system.

In another embodiment, the host system is configured to decrypt theencrypted first nonce and the second nonce using a public root key(e.g., of the DP accelerator) corresponding to the private root key anda private key of the host system to recover the first nonce and thesecond nonce. In another embodiment, the host system is configured togenerate a second session key based on the recovered first nonce and thesecond nonce, where the second session key is utilized by the hostsystem for encryption and decryption.

In one embodiment, the time unit includes a clock generator to generateclock signals locally without having to derive the clock signals from anexternal source, a timestamp generator coupled to the clock generator togenerate a timestamp based on the clock signals, and a power supply toprovide power to the clock generator and the timestamp generator withouthaving to draw power from an external power source.

According to an eighth aspect, a system receives, at a runtime libraryexecuted within a trusted execution environment (TEE) of a host system,a request from an application to invoke a predetermined function toperform a predefined operation. In response to the request, the systemidentifies a kernel object associated with the predetermined function.The system verifies an executable image of the kernel object using apublic key corresponding to a private key that was used to sign theexecutable image of the kernel object. In response to successfullyverifying the executable image of the kernel object, the systemtransmits the verified executable image of the kernel object to a dataprocessing (DP) accelerator over a bus to be executed by the DPaccelerator to perform the predefined operation.

According to a ninth aspect, a system receives, at a host system apublic attestation key (PK_ATT) or a signed PK_ATT from a dataprocessing (DP) accelerator over a bus. The system verifies the PK_ATTusing a public root key (PK_RK) associated with the DP accelerator. Inresponse to successfully verifying the PK_ATT, the system transmits akernel identifier (ID) to the DP accelerator to request attestation of akernel object stored in the DP accelerator. In response to receiving akernel digest or a signed kernel digest corresponding to the kernelobject form the DP accelerator, the system verifies the kernel digestusing the PK_ATT. The system sends the verification results to the DPaccelerator for the DP accelerator to access the kernel object based onthe verification results.

In one embodiment, in response to an attestation request received from ahost system, a system generates at a data processing (DP) accelerator anattestation key pair having a public attestation key (PK_ATT) and aprivate attestation key (SK_ATT). The system transmits the PK_ATT or asigned PK_ATT from the DP accelerator to the host system, where the DPaccelerator is coupled to the host system over a bus. The systemreceives a kernel identifier (ID) identifying a kernel object from thehost system, where the kernel ID is received in response to successfulverification of the PK_ATT. The system generates a kernel digest byhashing an executable image of the kernel object in response to thekernel ID. The system transmits the kernel digest or a signed kerneldigest to the host system to allow the host system to verify and attestthe kernel object before accessing the kernel object to be executedwithin the DP accelerator.

According to a tenth aspect, a system receives, at a host system from adata processing (DP) accelerator, an accelerator identifier (ID) thatuniquely identifies the DP accelerator, where the host system is coupledto the DP accelerator over a bus. The system transmits the acceleratorID to a predetermined trusted server over a network. The system receivesa certificate from the predetermined trusted server over the network,the certificate certifying the DP accelerator. Optionally, the systemverifies that the certificate is associated with the trusted server,e.g., by verifying a certificate chain for the trusted server. Thesystem extracts a public root key (PK_RK) from the certificate, thePK_RK corresponding to a private root key (SK_RK) associated with the DPaccelerator. The system establishes a secure channel with the DPaccelerator using the PK_RK to exchange data securely between the hostsystem and the DP accelerator.

FIG. 1 is a block diagram illustrating an example of systemconfiguration for securing communication between a host and data process(DP) accelerators according to some embodiments. Referring to FIG. 1,system configuration 100 includes, but is not limited to, one or moreclient devices 101-102 communicatively coupled to DP server 104 overnetwork 103. Client devices 101-102 may be any type of client devicessuch as a personal computer (e.g., desktops, laptops, and tablets), a“thin” client, a personal digital assistant (PDA), a Web enabledappliance, a Smartwatch, or a mobile phone (e.g., Smartphone), etc.Alternatively, client devices 101-102 may be other servers. Network 103may be any type of networks such as a local area network (LAN), a widearea network (WAN) such as the Internet, or a combination thereof, wiredor wireless.

Server (e.g., host) 104 may be any kind of servers or a cluster ofservers, such as Web or cloud servers, application servers, backendservers, or a combination thereof. Server 104 further includes aninterface (not shown) to allow a client such as client devices 101-102to access resources or services (such as resources and services providedby DP accelerators via server 104) provided by server 104. For example,server 104 may be a cloud server or a server of a data center thatprovides a variety of cloud services to clients, such as, for example,cloud storage, cloud computing services, machine-learning trainingservices, data mining services, etc. Server 104 may be configured as apart of software-as-a-service (SaaS) or platform-as-a-service (PaaS)system over the cloud, which may be a private cloud, public cloud, or ahybrid cloud. The interface may include a Web interface, an applicationprogramming interface (API), and/or a command line interface (CLI).

For example, a client, in this example, a user application of clientdevice 101 (e.g., Web browser, application), may send or transmit aninstruction (e.g., artificial intelligence (AI) training, inferenceinstruction, etc.) for execution to server 104 and the instruction isreceived by server 104 via the interface over network 103. In responseto the instruction, server 104 communicates with DP accelerators 105-107to fulfill the execution of the instruction. In some embodiments, theinstruction is a machine learning type of instruction where DPaccelerators, as dedicated machines or processors, can execute theinstruction many times faster than execution by server 104. Server 104thus can control/manage an execution job for the one or more DPaccelerators in a distributed fashion. Server 104 then returns anexecution result to client devices 101-102. A DP accelerator or AIaccelerator may include one or more dedicated processors such as a Baiduartificial intelligence (AI) chipset available from Baidu, Inc. oralternatively, the DP accelerator may be an AI chipset from NVIDIA, anIntel, or some other AI chipset providers.

According to one embodiment, each of the applications accessing any ofDP accelerators 105-107 and hosted by DP server 104, also referred to asa host, may be verified that the application is provided by a trustedsource or vendor. Each of the applications may be launched and executedwithin a trusted execution environment (TEE) specifically configured andexecuted by a central processing unit (CPU) of host 104. When anapplication is configured to access any one of the DP accelerators105-107, a secure connection will be established between host 104 andthe corresponding one of the DP accelerator 105-107, such that the dataexchanged between host 104 and each of DP accelerators 105-107 isprotected against the attacks from malwares.

FIG. 2 is a block diagram illustrating an example of a multi-layerprotection solution for securing communications between a host systemand data process (DP) accelerators according to some embodiments. In oneembodiment, system 200 provides a protection scheme for securecommunications between host and DP accelerators with or without hardwaremodifications to the DP accelerators. Referring to FIG. 2, host machineor server 104 can be depicted as a system with one or more layers to beprotected from intrusion such as user application 203, runtime libraries205, driver 209, operating system 211, and hardware 213 (e.g., securitymodule (trusted platform module (TPM))/central processing unit (CPU)).Host machine 104 is typically a CPU system which can control and manageexecution jobs on the host system or DP accelerators 105-107. In orderto secure a communication channel between the DP accelerators and thehost machine, different components may be required to protect differentlayers of the host system that are prone to data intrusions or attacks.For example, a trusted execution environment (TEE) can protect the userapplication layer and the runtime library layer from data intrusions.

Referring to FIG. 2, system 200 includes host system 104 and DPaccelerators 105-107 according to some embodiments. DP acceleratorsinclude Baidu AI chipsets or any other AI chipsets such as NVIDIAgraphical processing units (GPUs) that can perform AI intensivecomputing tasks. In one embodiment, host system 104 is to include ahardware that has one or more CPU(s) 213 equipped with a security module(such as a trusted platform module (TPM)) within host machine 104. A TPMis a specialized chip on an endpoint device that stores cryptographickeys (e.g., RSA cryptographic keys) specific to the host system forhardware authentication. Each TPM chip can contain one or more RSA keypairs (e.g., public and private key pairs) called endorsement keys (EK)or endorsement credentials (EC), i.e., root keys. The key pairs aremaintained inside the TPM chip and cannot be accessed by software.Critical sections of firmware and software can then be hashed by the EKor EC before they are executed to protect the system againstunauthorized firmware and software modifications. The TPM chip on thehost machine can thus be used as a root of trust for secure boot.

The TPM chip also secures driver 209 and operating system (OS) 211 in aworking kernel space to communicate with the DP accelerators. Here,driver 209 is provided by a DP accelerator vendor and can serve as adriver for the user application to control a communication channelbetween host and DP accelerators. Because TPM chip and secure bootprotects the OS and drivers in their kernel space, TPM also effectivelyprotects the driver 209 and operating system 211.

Since the communication channels for DP accelerators 105-107 may beexclusively occupied by the OS and driver, thus, the communicationchannels are also secured through the TPM chip.

In one embodiment, host machine 104 includes trusted executionenvironment (TEE) 201 which is enforced to be secure by TPM/CPU 213. ATEE is a secure environment. TEE can guarantee code and data which areloaded inside the TEE to be protected with respect to confidentialityand integrity. Examples of a TEE may be Intel software guard extensions(SGX), or AMD secure encrypted virtualization (SEV). Intel SGX and/orAMD SEV can include a set of central processing unit (CPU) instructioncodes that allows user-level code to allocate private regions of memoryof a CPU that are protected from processes running at higher privilegelevels. Here, TEE 201 can protect user applications 203 and runtimelibraries 205, where user application 203 and runtime libraries 205 maybe provided by end users and DP accelerator vendors, respectively. Here,runtime libraries 205 can convert API calls to commands for execution,configuration, and/or control of the DP accelerators. In one embodiment,runtime libraries 205 provides a predetermined set of (e.g., predefined)kernels for execution by the user applications.

In another embodiment, host machine 104 includes memory one or more safeapplications 207 which are implemented using memory safe languages suchas Rust, and GoLang, etc. These memory safe applications running onmemory safe Linux releases, such as MesaLock Linux, can further protectsystem 200 from data confidentiality and integrity attacks. However, theoperating systems may be any Linux distributions, UNIX, Windows OS, orMac OS.

In one embodiment, the system can be set up as follows: A memory-safeLinux distribution is installed onto a system (such as host system 104of FIG. 2) equipped with TPM secure boot. The installation can beperformed offline during a manufacturing or preparation stage. Theinstallation can also ensure that applications of a user space of thehost system are programmed using memory-safe programming languages.Ensuring other applications running on host system 104 to be memory-safeapplications can further mitigate potential confidentiality andintegrity attacks on host system 104.

After installation, the system can then boot up through a TPM-basedsecure boot. The TPM secure boot ensures only a signed/certifiedoperating system and an accelerator driver are launched in a kernelspace that provides the accelerator services. In one embodiment, theoperating system can be loaded through a hypervisor. Note, a hypervisoror a virtual machine manager is a computer software, firmware, orhardware that creates and runs virtual machines. Note, a kernel space isa declarative region or scope where kernels (i.e., a predetermined setof (e.g., predefined) functions for execution) are identified to providefunctionalities and services to user applications. In the event thatintegrity of the system is compromised, TPM secure boot may fail to bootup and instead shuts down the system.

After the secure boot, runtime libraries 205 runs and creates TEE 201,which places runtime libraries 205 in a trusted memory space associatedwith CPU 213. Next, user application 203 is launched in TEE 201. In oneembodiment, user application 203 and runtime libraries 205 arestatically linked and launched together. In another embodiment, runtime205 is launched in TEE first and then user application 205 isdynamically loaded in TEE 201. In another embodiment, user application205 is launched in TEE first, and then runtime 205 is dynamically loadedin TEE 201. Note, statically linked libraries are libraries linked to anapplication at compile time. Dynamic loading can be performed by adynamic linker. Dynamic linker loads and links shared libraries forrunning user applications at runtime. Here, user applications 203 andruntime libraries 205 within TEE 201 are visible to each other atruntime, e.g., all process data are visible to each other. However,external access to the TEE is denied.

In another embodiment, the user application can only call a kernel froma set of kernels as predetermined by runtime libraries 205. In anotherembodiment, user application 203 and runtime libraries 205 are hardenedwith side channel free algorithm to defend against side channel attackssuch as cache-based side channel attacks. A side channel attack is anyattack based on information gained from the implementation of a computersystem, rather than weaknesses in the implemented algorithm itself (e.g.cryptanalysis and software bugs). Examples of side channel attacksinclude cache attacks which are attacks based on an attacker's abilityto monitor a cache of a shared physical system in a virtualizedenvironment or a cloud environment. Hardening can include masking of thecache, outputs generated by the algorithms to be placed on the cache.Next, when the user application finishes execution, the user applicationterminates its execution and exits from the TEE.

In summary, system 200 provides multiple layers of protection for DPaccelerators (such as communications of data such as machine learningmodels, training data, and inference outputs) from loss of dataconfidential and integrity. System 200 can include a TPM-based secureboot protection layer, a TEE protection layer, and a kernelvalidation/verification layer. Furthermore, system 200 can provide amemory safe user space by ensuring other applications on the hostmachine are implemented with memory-safe programming languages, whichcan further eliminate attacks by eliminating potential memorycorruptions/vulnerabilities. Moreover, system 200 can includeapplications that use side-channel free algorithms so to defend againstside channel attacks, such as cache based side channel attacks.

FIG. 3 is a flow diagram illustrating an example of a method accordingto one embodiment. Process 300 may be performed by processing logicwhich may include software, hardware, or a combination thereof. Forexample, process 300 may be performed by a host system, such as hostsystem 104 of FIG. 1. Referring to FIG. 3, at block 301, processinglogic performs a secure boot using a security module such as a trustedplatform module (TPM) of a host system. At block 302, processing logicverifies that an operating system (OS) and an accelerator driverassociated with a data processing (DP) accelerator are provided by atrusted source. At block 303, processing logic launches the acceleratordriver within the OS. At block 304, processing logic generates a trustedexecution environment (TEE) associated with a CPU of the host system. Atblock 305, processing logic launches an application and a runtimelibrary within the TEE, where the application communicates with the DPaccelerator via the runtime library and the accelerator driver.

In one embodiment, the application and the runtime library arestatically linked and launched together. In another embodiment, theruntime library is launched in the TEE, and after the runtime library islaunched, the application is dynamically loaded for launching. In oneembodiment, processing logic further launches other applications on thehost machine which are memory safe applications. In another embodiment,the memory safe applications are implemented by one or more memory safeprogramming languages. In one embodiment, the runtime library provides apredetermined set of kernels to be launched by the application to run atask by the DP accelerator. In one embodiment, processing logic furtherhardens the application and the runtime library running in the TEE withside channel free algorithms to defend against cache-based side channelattacks.

FIG. 4 is a block diagram illustrating an example of a host having anI/O manager according to one embodiment. System 400 may represent system200 of FIG. 2 to provide a protection scheme for secure communicationsbetween the host and DP accelerators. Referring to FIG. 4, in oneembodiment, TEE 201 of host system 104 includes I/O manager 401. In oneembodiment, DP accelerators 405-407 include I/O interface 415-417,respectively, which blocks, forbids, or denies a host from accessing amemory of the DP accelerators directly, while I/O manager 401 allows theDP accelerators to only access certain memory blocks of host system 104.

A conventional DP accelerator has an I/O interface which gives a hostmachine access permission to an entire global memory of the DPaccelerator. Indeed, malicious application might abuse this permissionto steal or change a memory buffer in the global memory of the DPaccelerators. To address this technical problem, embodiments of thedisclosure implements a communication protocol to forbid accesses to amemory system of the DP accelerator. E.g., a host machine can onlycommunicate with a DP accelerator through a command channel to issuecommands, while DP accelerators can communicate through a data channelto read or write data, to and from, the host machine through an I/Omanager of the host machine. The I/O manager can thus furthercharacterize the data access by the DP accelerator and may allow the DPaccelerator to only access a limited memory range of the host system.

For illustration purposes, an example operation performed by the DP maybe an addition operation, such as: 1+2=3. In this case, a host systemhaving access to a memory address of a DP accelerator may issue a numberof data preparation instructions remotely to load data into memorybuffers of the DP accelerators before the addition operation is carriedout.

However, a host system with no memory access to DP accelerator would notbe able to reference a memory address of the accelerator and has toissue a different set of processor instructions for the data preparationoperations. It is then up to the DP accelerator to issue follow upinstructions to read data from the host machine to obtain the data(e.g., operands for the addition instruction). Here, the memory addressof the DP accelerator is not visible to the host system.

FIG. 5 is a block diagram further illustrating an example of an I/Omanager in communication with a DP accelerator according to someembodiments. System 500 may be a detailed view of system 400 of FIG. 4.Referring to FIG. 5, in one embodiment, I/O manager 401 includes commandgenerator 501, mapped memory 503, and access control list (ACL) module505. I/O manager 401 can be communicatively coupled to driver 209, anddriver 209 can include ACL map 507 (e.g., IO MMU). Command generator 501can generate a command to be issued to a DP accelerator. Mapped memory503 can include a number of memory regions of host server 104 which aremapped to each DP accelerator. Mapped memory 503 can be a memory (e.g.,as part of hardware 213 of FIG. 4) of host server 104. ACL module 505can control (e.g., permit or deny) access to a corresponding mappedmemory region of host server 104 according to a logic table for acorresponding DP accelerator. ACL map 507 can contain a mapping tablethat maps different memory regions of memory 503 to DP accelerators asillustrated by FIG. 6. Here, FIG. 6 shows that DP accelerator 1 ismapped to more than one region (e.g., regions 1 . . . 11) and DPaccelerator 2 is mapped to region 12 according to one embodiment. E.g.,each DP accelerator can be mapped to many memory regions.

For example, in one embodiment, a DP accelerator is not allowed todirectly access memory locations (e.g., mapped memory 503) of a hostserver. However, the DP accelerator can access a memory region of thehost server (through ACL module 505) provided that ACL map 507 containsan entry of the DP accelerator mapped to the memory region(s) to beaccessed. In one embodiment, when a DP accelerator is added to hostsystem 104, e.g., host system 104 discovers that a new DP accelerator isconnected, ACL module 505 assigns an identifier to the DP accelerator,inserts an entry onto ACL map 507 corresponding to the DP accelerator,and/or reserves or allocates a block of available memory from memory503, e.g., a memory of host server 104 (as part of hardware 213 of FIG.4) for the DP accelerator. In one embodiment, ACL module 505 can send anotification to the DP accelerator to inform the DP accelerator of theavailable memory block. In one embodiment, the DP accelerator identifiercan be a generated GUID/UUID (universally unique identifier), a MACaddress, an IP address associated with the DP accelerator, or acombination thereof. In some embodiments, the host system is coupled toa number of DP accelerators. In one embodiment, when a DP accelerator isremoved from host system 104, e.g., host system 104 discovers that anexisting DP accelerator is no longer connected to host server 104, ACLmodule can remove an entry from ACL map 507 corresponding to the DPaccelerator and/or deallocate a block of memory from memory 503corresponding to the DP accelerator.

Referring to FIG. 5, in one embodiment, I/O interface 415 of DPaccelerator 405 includes modules such as: control registers 511 andcommand decoder 513. Control register 511 can control a behavior ofexecution units 517 and/or global memory 515. Command decoder 513 candecode a command received by DP accelerator 405. In one embodiment, DPaccelerator 405 can issue subsequent commands, e.g., read/write commandsto fetch data, from and to, 10 manager 401, to complete a requestedcommand.

FIG. 7 is a block diagram illustrating an example communication betweena host and a DP accelerator according to one embodiment. Operations 700may be performed by a host server 104 and/or a DP accelerator 405.Referring to FIG. 7, in operation 701, host server 104 sends a datapreparation command request (e.g., a data preparation instruction toperform a data preparation operation) to DP accelerator 405 to beprocessed by the DP accelerator via a command channel. In operation 702,DP accelerator 405 decodes the requested command to determine the typeof command to be a data preparation operation command.

If it is determined that data from host server 104 is required tofulfill the requested command, in operation 703, DP accelerator 405requests read access from host memory (e.g., a read operation) for thedata, where the data may reside in a first memory location of the hostsystem (e.g., mapped memory 503 of FIG. 5). In operation 704, inresponse to receiving the read access request, host server 104identifies the requesting DP accelerator and the memory region on thehost server 104 that is being requested (e.g., the first memorylocation), and queries an ACL map to determine whether the DPaccelerator has access permission to the requested memory region.

For example, host server 104 can query the ACL map for the DPaccelerator by an identifier associated with the DP accelerator. Ifthere is a query result entry, host server 104 would determine if therequested memory location lies within a memory region from the resultentry. If yes, DP accelerator 405 has read/write access permission. Ifit is determined that the DP accelerator has read access permission tothe memory region, in operation 705, host server 104 returns therequested data, via a data channel. If it is determined that the DPaccelerator has no read access permission, host server 104 may then senda notification of a read failure to DP accelerator 405.

In operation 706, host server 104 sends a DP command or a computing or aconfiguration command or DP instruction. In operation 707, DPaccelerator 405 processes the DP command or DP operations. In operation708, when the requested command completes, DP accelerator 405 store thecompletion results in a global memory of DP accelerator 405 (e.g.,global memory 515 of FIG. 5). DP accelerator 405 subsequently sends thecompletion results to host server 104 as a write request, via the datachannel. In operation 709, host server 104 identifies the DP acceleratorand the memory region (e.g., a second memory location) requested forwrite access, and queries the ACL map to determine whether DPaccelerator 405 has write access permission to the requested memoryregion.

If it is determined that the DP accelerator has write access permission,in operation 710, host server 104 stores the results in the requestedmemory location. In operation 711, host server 104 can subsequently sendan acknowledgement as the results are successfully received. Note that aDP/computing command refers to a command for data processingoperation(s) to be processed by a DP accelerator. A configurationcommand refers to command for configuration of the DP accelerator. Adata preparation command refers to a command for a data preparationoperation, e.g., to fetch a data, such as an operand for a DP command,from a host server.

FIGS. 8A and 8B are flow diagrams illustrating example methods accordingto some embodiments. Processes 800 and 820 may be performed byprocessing logic which may include software, hardware, or a combinationthereof. For example, process 800 may be performed by a host system(e.g., I/O manager 401) of FIG. 4, and process 820 may be performed by aDP accelerator (e.g., I/O interface 415) of FIG. 4. Referring to FIG.8A, at block 801, processing logic establishes a secure connectionbetween a host system and a data processing (DP) accelerator over a bus,the secure connection including one or more data channels. In anotherembodiment, the secure connection includes one or more command channels.At block 802, processing logic transmits a first instruction from thehost system to the DP accelerator over one command channel, the firstinstruction requesting the DP accelerator to perform a data preparationoperation. At block 803, processing logic receives a first request toread first data from a first memory location of the host system from theDP accelerator over one data channel, in response to the firstinstruction. At block 804, in response to the first request, processinglogic transmits the first data retrieved from the first memory locationof the host system to the DP accelerator over the data channel, wherethe first data is utilized for a computation or a configurationoperation. At block 805, processing logic transmits a second instructionfrom the host system to the DP accelerator over the command channel, thesecond instruction requesting the DP accelerator to perform thecomputation or the configuration operation.

In one embodiment, processing logic further examines the first requestto determine whether the DP accelerator is entitled to read from thefirst memory location of the host system and allows the DP acceleratorto read from the first memory location, in response to determining thatthe DP accelerator is entitled to read from the first memory location.In one embodiment, the DP accelerator is not allowed to directly accessthe first memory location of the host system. In one embodiment, the DPaccelerator is one of a number of DP accelerators coupled to the hostsystem.

In one embodiment, processing logic further receives a second request towrite a second data from the DP accelerator over the data channel, wherethe second data is to be written to a second memory location of the hostsystem. In response to the second request, processing logic stores thesecond data at the second memory location of the host system. In anotherembodiment, processing logic further examines the second request todetermine whether the DP accelerator is entitled to write to the secondmemory location of the host system. Processing logic allows the DPaccelerator to write to the second memory location, in response todetermining that the DP accelerator is entitled to write to the secondmemory location. In another embodiment, the second data represents atleast a portion of a result of the computation or the configurationoperation in response to the instruction.

Referring to FIG. 8B, in one embodiment, at block 821, processing logicestablishes a secure connection between a host system and a dataprocessing (DP) accelerator over a bus, the secure connection includingone or more command channels and/or one or more data channels. At block822, processing logic receives, at the DP accelerator, a firstinstruction from the host system over one command channel, the firstinstruction requesting the DP accelerator to perform a data preparationoperation. At block 823, in response to the first instruction,processing logic transmits a first request from the DP accelerator tothe host system over one data channel to read a first data from a firstmemory location of the host system. At block 824, processing logicreceives the first data from the host system over the data channel,wherein the first data was retrieved by the host system from the firstmemory location of the host system. At block 825, processing logicreceives a second instruction from the host system over the commandchannel, the second instruction requesting the DP accelerator to performa computation or configuration operation. At block 826, processing logicperforms the computation or configuration operation based on at leastthe first data.

In one embodiment, the host system is to examine the first request todetermine whether the DP accelerator is entitled to read from the firstmemory location of the host system, and where the host system is toallow the DP accelerator to read from the first memory location, inresponse to determining that the DP accelerator is entitled to read fromthe first memory location. In another embodiment, the DP accelerator isnot allowed to directly access the first memory location of the hostsystem. In another embodiment, the DP accelerator is one of a number ofDP accelerators coupled to the host system.

In another embodiment, processing logic further transmits a secondrequest from the DP accelerator to the host system over the data channelto write second data to a second memory location of the host system,where the second data represents at least a portion of a result of thecomputation or configuration operation. In another embodiment, the hostsystem is to examine the second request to determine whether the DPaccelerator is entitled to write to the second memory location of thehost system, and where the host system is to allow the DP accelerator towrite to the second memory location, in response to determining that theDP accelerator is entitled to write to the second memory location.

FIG. 9 is a block diagram illustrating an example of a host having ahost channel manager according to one embodiment. System 900 mayrepresent system 200 of FIG. 2 to provide a protection scheme to securean information exchange channel between a host and one or more DPaccelerators. Referring to FIG. 9, in one embodiment, host system 104includes runtime libraries 205 which includes host channel manager (HCM)901. Correspondingly, DP accelerators 405-407 include acceleratorchannel managers (ACMs) 915-917, respectively. HCM and ACMs supportgeneration of cryptographic keys to setup an asymmetrical (e.g., RSA)and/or symmetrical (e.g., AES) cryptography based information exchangechannel between host system 104 and DP accelerators 405-407. Here, DPaccelerators 405-407 can be DP accelerators 205-207 of FIG. 2.

FIG. 10 is a block diagram illustrating an example of a host channelmanager (HCM) communicatively coupled to one or more accelerator channelmanagers (ACMs) according to some embodiments. System 1000 may be adetailed view of system 900 of FIG. 9. Referring to FIG. 10, in oneembodiment, HCM 901 includes authentication module 1001, terminationmodule 1003, key manager 1005, key(s) store 1007, and cryptographyengine 1009. Authentication module 1001 can authenticate a userapplication running on host server 104 for permission to access or use aresource of a DP accelerator. Termination module 1003 can terminate aconnection (e.g., channels associated with the connection would beterminated). Key manager 1005 can manage (e.g., create or destroy)asymmetric key pairs or symmetric keys for encryption/decryption of oneor more data packets for different secure data exchange channels. Here,each user application (as part of user applications 203 of FIG. 9) cancorrespond or map to different secure data exchange channels, on aone-to-many relationship, and each data exchange channel can correspondto a DP accelerator. An example of a user application mapping tochannels using channel/session keys can be illustrated by FIG. 11,according to one embodiment. Here, application 1 maps to channel sessionkeys 1-11, where each session key is for a secure channel correspondingto a DP accelerator (e.g., 11 DP accelerators); application 2 is mappedto channel session key 12, and key 12 correspond to a particular DPaccelerator. Key(s) store 1007 can store encryption asymmetric key pairsor symmetric keys. Cryptography engine 1009 can encrypt or decrypt adata packet for the data exchanged through any of the secure channels.Note that some of these modules can be integrated into fewer modules.

Referring to FIG. 10, in one embodiment, DP accelerator 405 includes ACM915 and security unit (SU) 1020. Security unit 1020 can include keymanager 1025, key(s) store 1027, and cryptography engine 1029. Keymanager 1025 can manage (e.g., generate, safe keep, and/or destroy)asymmetric key pairs or symmetric keys. Key(s) store 1027 can store thecryptography asymmetric key pairs or symmetric keys. Cryptography engine1029 can encrypt or decrypt key information or data packets for dataexchanges. In some embodiments, ACM 915 and SU 1020 is an integratedmodule.

FIGS. 12A-12B are block diagrams illustrating an example of a secureinformation exchange between a host and a DP accelerator according toone embodiment. Example 1200 may be performed by system 1000 of FIG. 10.Referring to FIGS. 10 and 12A-12B, in one embodiment, before any datacommunication is to take place between a DP accelerator (such as DPaccelerators 405) and an application (hosted on host server 104)requesting DP accelerator resources, a secured information exchangechannel is required to be setup or established between host server 104and the DP accelerator. The information exchange channel setup can beinitiated by a user application of host server 104. For example a userapplication (such as a user application of application 203 of FIG. 9)can request HCM 901 to setup a secure data exchange channel.Authentication module 1001 can receive the request and authenticate thatthe user application is a trusted application. In one embodiment,authentication module 1001 verifies a permission of the user applicationor of a client access the user application, e.g., verifies whether theuser application or client has a permission to use resources from therequested DP accelerator(s). If permitted, information can then beexchanged between the user application and the DP accelerator throughthe secure channel by way of a session key to encrypt and decrypt theinformation exchanges.

In one embodiment, to create a session key, HCM 901 generates a firstpublic/private key pair associated with the application and/or channel,or the first public/private key pair may be a key pair associated withHCM 901. The first public/private key pair can be stored in the key(s)store 1007 and the first public key is sent to DP accelerator 405 (orACM 915) (e.g., operation 1201). ACM 915 then generates a unique sessionkey (e.g., a second session key) for the session (e.g., operation 1202),where the session key can be used to encrypt/decrypt data packetscommunicated to and from host server 104 (e.g., operations 1205-1216).In one embodiment, the session key is a symmetric key derived (orgenerated) based on a hash function, such as a cyclical redundancycheck, a checksum, or a cryptographic hash function, or a randomhash/number generator.

In one embodiment, when ACM 915 receives the first public key, ACM 915generates a second public/private key pair for the channel, where thesecond private key of the second public/private key pair and the firstpublic key are used to encrypt the session key or constituents of thesession key. In another embodiment, the second public/private key pairis a key pair associated with DP accelerator 405. In one embodiment, thefirst public key, second public key, second private key, and/or thesession key can be stored in key(s) store 1027. The session key (orconstituents thereof) can then be encrypted by the first public key andthe encrypted can be further encrypted by the second private key (e.g.,doubly encrypted), and the doubly encrypted session key informationtogether with the second public key can be sent to HCM 901 (e.g.,operation 1203).

Key manager 1005 of HCM 901 can then decrypt the encrypted session keybased on the second public key and the first private key (e.g.,operation 1204) to derive the session key (e.g., to generate a firstsession key). Thereafter, data communicated from the DP accelerator tothe host server 104, or vice versa (e.g., operations 1205-1216), can usethe symmetrical session key to encrypt and decrypt the data forcommunication. E.g., data are encrypted and are then sent over theinformation exchange channel by a sender. The received data is to bedecrypted by a receiver. Here, host server 104 and DP accelerator 405can read these data packets because host server 104 and DP accelerator405 have the same symmetric session key to encrypt and decrypt the datapackets.

In one embodiment, host server 104 (e.g., HCM 901) cannot directlyaccess a memory buffer of DP accelerator 405 (e.g., ACM 915), but DPaccelerator can access a memory buffer of host server 104. Thus,operations 1205-1211 are operations to send an encrypted data packetfrom host server 104 to DP accelerator 405, while operations 1212-1216are operations to send an encrypted data packet from DP accelerator 405to host server 104. Here, operations 1206-1210 are similar to operations701-705 of FIG. 7 for the host server 104 to provide a data packet to DPaccelerator 405.

Finally, when the application signals a completion for the session,application can request HCM 901 to terminate the session. Terminationmodule 1003 can then request key manager 1005 to destroy the session key(e.g., the first session key) associated with the session (as part ofoperation 1215) and send a termination notification (e.g., operation1216) to ACM 915 of DP accelerator 405 to request key manager 1025 todestroy the symmetric session key (e.g., the second session key)associated with the session. Although HCM 901 is shown to communicatewith only ACM 915, however, HCM 901 can communicate with multiples ofACMs corresponding to multiples of DC accelerators to establish multipledata exchange connections at the same time.

FIGS. 13A and 13B are flow diagrams illustrating example methodsaccording to some embodiments. Processes 1300 and 1320 may be performedby processing logic which may include software, hardware, or acombination thereof. For example, process 1300 may be performed by ahost system (e.g., HCM 901) of FIG. 9, and process 1320 may be performedby a DP accelerator (e.g., ACM 915) of FIG. 9. Referring to FIG. 13A, atblock 1301, processing logic receives, at a host channel manager (HCM)of a host system, a request from an application to establish a securechannel with a data processing (DP) accelerator, where the DPaccelerator is coupled to the host system over a bus. At block 1302, inresponse to the request, processing logic generates a first session keyfor the secure channel based on a first private key of a first key pairassociated with the HCM and a second public key of a second key pairassociated with the DP accelerator. At block 1303, in response to afirst data associated with the application to be sent to the DPaccelerator, processing logic encrypt the first data using the firstsession key. At block 1304, processing logic transmits the encryptedfirst data to the DP accelerator via the secure channel over the bus.

In one embodiment, in response to the request, processing logic furthertransmits a first public key of the first key pair associated with theHCM to the DP accelerator. Processing logic then receives the secondpublic key of the second key pair associated with the DP acceleratorfrom an accelerator channel manager (ACM) of the DP accelerator, inresponse to transmitting the first public key. In another embodiment,the ACM is configured to derive a second session key and to encrypt thesecond session key based on the first public key and a second privatekey of the second key pair before sending the encrypted second sessionkey to the HCM, where the first session key and the second session keyis a same symmetric key. In another embodiment, the ACM is configured todecrypt the encrypted first data using the second session key to recoverthe first data.

In one embodiment, processing logic further receives an encrypted seconddata from the ACM of the DP accelerator, wherein the second data wasencrypted using the second session key. Processing logic then decryptsthe encrypted second data using the first session key to recover thesecond data. In one embodiment, in response to the request, processinglogic further examines an application identifier (ID) of the applicationto determine whether the application is entitled to access the DPaccelerator, where the first session key is generated only if theapplication is entitled to access the DP accelerator. In one embodiment,processing logic further receives a request to terminate the securechannel from the application. In response to the request, processinglogic transmits an instruction to the ACM instructing the ACM toterminate the secure connection by destroying the second session key.Processing logic then destroys the first session key by the HCM.

Referring to FIG. 13B, in one embodiment, at block 1321, processinglogic receives, at an accelerator channel manager (ACM) of a dataprocessing (DP) accelerator, a request from an application of a hostchannel manager (HCM) of a host system to establish a secure channelbetween the host system and the DP accelerator, where the DP acceleratoris coupled to the host system over a bus. At block 1322, in response tothe request, processing logic generates a second session key for thesecure channel and encrypts information of the second session key basedon a second private key of a second key pair associated with the DPaccelerator and a first public key of a first key pair associated withthe HCM before sending the encrypted second session key information tothe HCM. At block 1323, in response to a first data to be sent to thehost system, processing logic encrypts the first data using the secondsession key. At block 1324, processing logic transmits the encryptedfirst data to the HCM of the host system via the secure channel.

In one embodiment, in response to the request, processing logic furthertransmits a second public key of the second key pair associated with theDP accelerator to the HCM of the host system and receives the firstpublic key of the first key pair associated with the HCM from the HCM.In another embodiment, the HCM is configured to derive a first sessionkey based on the first private key of the first key pair associated withthe HCM and a second public key of the second key pair associated withthe DP accelerator. In another embodiment, the HCM is configured todecrypt the encrypted first data using the first session key to recoverthe first data.

In another embodiment, processing logic further receives encryptedsecond data from the HCM of the host system, where the second data wasencrypted using the first session key. Process logic then decrypts theencrypted second data using the second session key to recover the seconddata, where the first session key and the second session key is a samesymmetric key. In one embodiment, processing logic further receives arequest to terminate the secure channel from the HCM of the host systemand in response to the request, processing logic destroys the firstsession key by the ACM.

FIG. 14 is a block diagram illustrating an example system forestablishing a secure information exchange channel between a hostchannel manager (HCM) and an accelerator channel manager (ACM) accordingto one embodiment. System 1400 may be a detailed view of system 900 ofFIG. 9. Referring to FIG. 14, in one embodiment, HCM 901 includes keysPK_O 1401, SK_O 1403, and PK_RK(s) 1411. Keys PK_O 1401 and SK_O 1403are respectively a public key and a private key of an asymmetriccryptographic key pair associated with HCM 901 and/or anapplication/runtime of host server 104, and key PK_RK(s) 1411 are one ormore public keys associated with ACM 915 of DP accelerator 405 and/orother DP accelerators. HCM 901 can also include key manager 1005. DPaccelerator 405 can include security unit 1020 coupled to ACM 915, wherethe security unit 1020 can include keys PK_RK 1413 and SK_RK 1415, whichare respectively a public and a private key of an asymmetriccryptographic key pair associated with ACM 915 and/or DP accelerator405. ACM 915 also includes key manager 1025. Key managers 1005 and 1025can generate encryption/decryption keys using a symmetric algorithm(e.g., AES) and/or an asymmetric algorithm (e.g., Diffie-Hellman keyexchange protocol, RSA, etc.).

FIG. 15 is a block diagram illustrating an example information exchangeto derive a session key between a host and a DP accelerator according toone embodiment. Example 1550 includes a number of operations to derive asession key, which may be performed by system 1400 of FIG. 14. Referringto FIGS. 14 and 15, in one embodiment, at operation 1551, HCM 901 sendsa command “CMD_get public key” to ACM 915 to initiate a process toderive a session key. At operation 1552, upon receipt of the requestcommand, ACM 915 generates a temporary (or a derived) public/private keypair (e.g., PK_d and SK_d) for derivation of a session key. ACM 915encrypts the temporary public key PK_d with a private root key (e.g.,SK_RK) associated with the DP accelerator. At operation 1553, a copy ofthe encrypted temporary public key and a copy of the temporary publickey are sent by ACM 915 to HCM 901. At operation 1554, HCM 901 receivesthe copies and decrypts the encrypted temporary public key using PK_RK(here, PK_RK can be previous received by HCM 901 and is stored asPK_RK(s) 1411 of HCM 901 of FIG. 14) and the temporary public key thatis decrypted is compared with the copy of temporary public key PK_dreceived at operation 1553. If the decrypted key matches the temporarypublic key, then HCM 901 has verified that the message is from anexpected party. Note, PK_RK(s) 1411 can contain a number of public keysfor a number of DP accelerators 405-407.

At operation 1555, HCM 901 generates a first random nonce (nc). Atoperation 1556, HCM 901 sends a command “CM_generate session key”, apublic key associated with the HCM (e.g., PK_O), and the nonce nc to ACM915. At operation 1557, upon receiving the “CM_generate session key”command, ACM 915 generates a second random nonce (ns). At operation1558, ACM 915 derives a session key based on the first and the secondrandom nonce, nc and ns. In one embodiment, the session key is derivedby a hash function of random nonce nc concatenated with random nonce ns.In another embodiment, the session key is derived by a hash function ofa valued based on nc added with ns. The session key is then used toencrypt and decrypt data exchanged between ACM 915 and HCM 901.

At operation 1559, ACM 915 doubly encrypts the nonces nc and ns with thetemporary private key (e.g., SK_d), followed by the public keyassociated with the HCM (e.g., PK_O). ACM 915 then sends the doublyencrypted nonces, nc and ns, to HCM 901. At operation 1560, HCM 901decrypts the doubly encrypted nonces nc and ns based on the HCMassociated private key (e.g., SK_O) and the temporary public key (e.g.,PK_d). At operation 1561, HCM 901 verifies a freshness of the sessionkey by verifying random nonce nc is indeed identical to a copy of therandom nonce nc originally generated by HCM 901. If yes, at operation1562, HCM 901 derives a session key based on the first and the secondrandom nonce (e.g., nc and ns). In one embodiment, the session key isderived by a hash function of random nonce nc concatenated with randomnonce ns. In another embodiment, the session key is derived by a hashfunction of a valued based on nc added with ns. The session key is thenused to encrypt and decrypt data exchanged between HCM 901 and ACM 915.Note, although the session key is described as a cryptographic key basedon a symmetric encrypt algorithm, the session key may also be apublic/private key pair.

FIGS. 16A and 16B are flow diagrams illustrating example methodsaccording to some embodiments. Processes 1600 and 1620 may be performedby processing logic which may include software, hardware, or acombination thereof. For example, process 1600 may be performed by ahost server (e.g., HCM 901) of FIG. 14, and process 1620 may beperformed by a DP accelerator (e.g., ACM 915) of FIG. 14. Referring toFIG. 16A, at block 1601, in response to receiving a temporary public key(PK_d) from a data processing (DP) accelerator, processing logicgenerates a first nonce (nc) at the host system, where the DPaccelerator is coupled to the host system over a bus. At block 1602,processing logic transmits a request to create a session key from thehost system to the DP accelerator, the request including a host publickey (PK_O) and the first nonce. At block 1603, processing logic receivesa second nonce (ns) from the DP accelerator, where the second nonce isencrypted using the host public key and a temporary private key (SK_d)corresponding to the temporary public key. At block 1604, processinglogic generates a first session key based on the first nonce and thesecond nonce, which is utilized to encrypt or decrypt subsequent dataexchanges between the host system and the DP accelerator.

In one embodiment, processing logic further transmits a request from thehost system to the DP accelerator to request the DP accelerator togenerate a derived or temporary key pair having the temporary public keyand the temporary private key, where the DP accelerator creates thetemporary key pair in response to the request. The temporary key may beused once or several times over a predetermined period of time such asdays, weeks, or even months depending on an implementation by the DPaccelerator. In another embodiment, the temporary public key from the DPaccelerator is a first temporary public key, and processing logicfurther receives an encrypted second temporary public key that has beenencrypted using an accelerator private root key (SK_RK) by the DPaccelerator. In another embodiment, processing logic further decryptsthe encrypted second temporary public key using an accelerator publicroot key (PK_RK) corresponding to the accelerator private root key torecover a second temporary public key. Processing logic then verifieswhether the first temporary public key and the second temporary publickey are identical, where the first nonce is generated when the first andsecond temporary public keys are identical.

In one embodiment, receiving a second nonce from the DP acceleratorincludes receiving the first nonce and the second nonce that have beenencrypted using a temporary private key corresponding to the temporarypublic key. In another embodiment, processing logic further decrypts theencrypted first nonce and second nonce using the first or the secondtemporary public key at the host system to recover the first nonce andthe second nonce. In another embodiment, the first nonce and the secondnonce encrypted by the temporary private key are further encrypted usingthe host public key by the DP accelerator. In another embodiment,processing logic further decrypts the encrypted first nonce and secondnonce using a host private key corresponding to the host public key torecover the first nonce and the second nonce.

Referring to FIG. 16B, in one embodiment, at block 1621, in response toa request received from a host system, processing logic generates, at adata processing (DP) accelerator, a temporary private key and atemporary public key, where the DP accelerator is coupled to the hostsystem over a bus. At block 1622, processing logic encrypts thetemporary public key using an accelerator private root key associatedwith the DP accelerator. At block 1623, processing logic transmits thetemporary public key in an unencrypted form and the encrypted temporarypublic key to the host system to allow the host system to verify thetemporary public key. At block 1624, process logic receives a firstnonce from the host system, where the first nonce was generated by thehost system after the temporary public key has been verified. At block1625, processing logic generates a session key based on the first nonceand a second nonce, where the second nonce has been generated locally atthe DP accelerator.

In one embodiment, processing logic further encrypts the first nonce andthe second nonce using the temporary private key to generate encryptedfirst nonce and second nonce. Process logic then transmits the encryptedfirst nonce and second nonce to the host system to enable the hostsystem to create a corresponding host session key. In anotherembodiment, processing logic further encrypts the encrypted first nonceand second nonce using a host public key associated with the hostsystem, prior to transmitting the encrypted first nonce and secondnonce. In another embodiment, the host system is configured to decryptthe encrypted first nonce and second nonce using a host private keyassociated with the host system and the temporary public key to recoverthe first nonce and the second nonce. In another embodiment, the hostsystem is configured to verify freshness of the first nonce, where thehost session key is generated only if the first nonce was generatedwithin a predetermined period of time.

Memory buffers of DP accelerators can contain programs required to run aDP accelerator, input data to the programs, and output results from theprograms. Unsecured memory buffers of DP accelerators can lead to acompromise in the overall host server-DP accelerators systemarchitecture. Memory buffers of DP accelerators can be secured by notallowing a host server to access these PD accelerators, as describedabove. For the scenario where a host server cannot access a memorybuffer of DP accelerators, the host server however can retain memoryusage information for the DP accelerators. The memory usage informationcan be retained in a trusted execution environment (TEE) which canensure data confidentiality and integrity.

FIG. 17 is a block diagram illustrating an example of a host having asecure memory manager (MM) to secure memory buffers of DP acceleratorsaccording to one embodiment. System 1700 may represent system 900 ofFIG. 9 to provide the secure memory manager on host server 104 to managememory of DP accelerators. Referring to FIG. 17, in one embodiment, hostserver 104 includes runtime libraries 205 which includes MM 1701.Correspondingly, DP accelerator 405 can include memory 1703 and memoryunit (MU) 1705, while DP accelerator 407 can include memory 1707 and MU1709. Memory manager can manage a memory of DP accelerator. Memories1703 and 1707 can be global memories of DP accelerators. A global memorycan be a component in accelerator for storing information such asprogram codes to be executed on DP accelerators, inputs to the programcodes and output results from execution of the program. MU 1705 and 1709can communicate and coordinate with MM 1701 about memory layout andmemory usage of memories 1703 and 1707 of DP accelerators, respectively.

FIG. 18 is a block diagram illustrating an example of a memory manager(MM) according to some embodiments. Referring to FIG. 18, memory manager1701 can includes memory allocator 1801, memory de-allocator 1803, andmemory usage registry table(s) 1811. Memory allocator 1801 can allocatea block of memory from a global memory of a DP accelerator (e.g., memory1703 of DP accelerator 405). Memory de-allocator 1803 can de-allocate ablock of memory from a global memory of a DP accelerator. Memory usageregistry table(s) 1811 can record memory layout and usage informationfor memory blocks associated with DP accelerators of the host server. Inone embodiment, each table (as part of registry table(s) 1811) can berelated to a DP accelerator and the table can have multiple entries formultiple user applications. For example, a user application can have twoentries for to reserve two memory blocks of the DP accelerator. Theregistry table(s) can then be used as a reference to allocate orde-allocate memory blocks for the DP accelerators. Memory usage registrytable(s) 1811 can include one or more memory management tables. A memorymanagement table is a data structure used by a system in a computeroperating system to store a mapping between user applications andphysical addresses and/or virtual addresses. An example memory usageregistry table for a DP accelerator can have fields such as applicationID, start address, and size, where the application ID denotes which userapplication has been allocated a block of memory, and the start addressand size denotes an address and a size of the block of memory. In someembodiments, registry table(s) can include additional fields such asflags indicating whether a corresponding memory block has beenallocated, a physical address to virtual address memory is mapped, reador write access, etc. Note that there may be many memory usage registrytables, one for each DP accelerator.

Referring to FIGS. 17-18, for one example, a remote client may issue acommand to run a particular application (as part of user applications203) on host server 104. The application can request via a call to anAPI provided by runtime libraries 205 to use resources from DPaccelerators 405-407. The resources can be a memory resource or aprocessor resource. For a memory resource example, upon receiving therequest, runtime libraries 205 can launch an instance of MM 1701.Runtime libraries 205 can then command DP accelerator 405, via memoryallocator 1801 of the instance, to allocate a memory block of adesignated size from memory 1703 of DP accelerator 405 for execution ofthe application.

In one embodiment, prior to requesting the resource block, MM 1701 canquery memory usage registry table(s) 1811 to determine if a resourceblock has already been allocated. MM 1701 then sends an allocationcommand to DP accelerator 405 to allocate the first memory block of theglobal memory to the application, in response to determining that thefirst memory block has not been allocated. In another embodiment, MM1701 denies the first request, in response to determining that a requestmemory block has been allocated.

MU 1705 receives the command and carries out the memory allocation. Inone embodiment, MU 1705 can traverse memory 1703 to find a continuousmemory block having the request memory block size to be allocated. Here,MU 1705 can also retain a similar memory usage registry table (e.g.,memory usage data structure) for DP accelerator 405 for MU 1705 totraverse memory 1703 for DP accelerator 405. In another embodiment, MM1701 sends the allocation command and a copy of the memory usageregistry table to DP accelerator 405. This way, MU 1705 is aware of thealready allocated memory. MU 1705 can then allocate a memory block basedon the memory usage information and return new memory usage informationfor the newly allocated memory block back to MM 1701. MM 1701 thenrecords an application identifier corresponding to the applicationrequesting the memory block, a starting address and the size for theallocated memory block onto memory usage registry table(s) 1811.Subsequent to the memory allocation, if an application running withinthe TEE tries to access a memory location of DP accelerator 405-407, MM1701 can search registry table(s) 1811 and verify if the memory locationis allocated to the application. If it is, the application is allowed toaccess the memory location. Otherwise, the application is denied accessto the memory location. Note that once a memory block is allocated, thememory block cannot be subsequently allocated until it is free.

In another embodiment, when MU 1705 returns memory usage informationupon allocation of a memory block, to avoid transmission of a physicaladdress across a communicate channel, MU 1705 can instead return avirtual memory address to MU 1701. Here, MU 1705 can include a physicalmemory address to virtual memory address mapping table. The mappingtable can map a virtual memory address to a physical memory address formemory 1703 of DP accelerator 405. This way, MU 1705 only discloses avirtual memory address so that a physical address of memory 1703 is notdisclosed over a communication channel.

When an execution of the user application completes or when a clientissues a completion command, in one embodiment, the user application cansend a memory deallocation command for memory block(s) associated withthe user application to DP accelerator 405. In another embodiment, acopy of a registry table is also sent to DP accelerator 405. In oneembodiment, prior to sending a memory deallocation command, MM 1701determines whether the memory block has been allocated to theapplication based on the memory usage information stored in the memoryusage data structure. If it is then the deallocation command is sent.Otherwise, a deallocation command is not sent (e.g., the deallocationrequest may be denied).

MU 1705 receives the deallocation command and carries out the memorydeallocation. In one embodiment, MU 1705 traverses memory 1703 to locatethe memory block to reset the memory buffers for the memory block. MU1705 then returns a status completion and/or new memory usageinformation to MM 1701. MM 1701 then updates (e.g., deletes an entry)memory usage registry table(s) 1811 according to the status completionand/or new memory usage information.

FIG. 19 is a flow diagram illustrating an example of a method accordingto one embodiment. Process 1900 may be performed by processing logicwhich may include software, hardware, or a combination thereof. Forexample, process 1900 may be performed by a host system, such as host104 of FIG. 17. Referring to FIG. 19, at block 1901, processing logicperforms a secure boot using a security module such as a trustedplatform module (TPM) of a host system. At block 1902, processing logicestablishes a trusted execution environment (TEE) associated with one ormore processors of the host system. At block 1903, processing logiclaunches a memory manager within the TEE, where the memory manager isconfigured to manage memory resources of a data processing (DP)accelerator coupled to the host system over a bus, including maintainingmemory usage information of global memory of the DP accelerator. Atblock 1904, in response to a request received from an applicationrunning within the TEE for accessing a memory location of the DPaccelerator, processing logic allows or denies the request based on thememory usage information.

In one embodiment, the memory manager is implemented as a part of aruntime library associated with the DP accelerator, which is executedwithin the TEE of the host system. In one embodiment, maintaining memoryusage information of global memory of the DP accelerator includesmaintaining a memory usage data structure to record memory allocation ofmemory blocks of the global memory of the DP accelerator. In anotherembodiment, the memory usage data structure includes a number ofentries, each entry recording a memory block of the global memory of theDP accelerator that has been allocated. In another embodiment, eachentry stores a starting memory address of a corresponding memory block,a size of the corresponding memory block, and a flag indicating whetherthe corresponding memory block has been allocated.

In another embodiment, processing logic further receives a first requestfrom the application to allocate a first memory block from the globalmemory of the DP accelerator. In response to the first request,processing logic determines whether the first memory block has beenallocated based on the memory usage information stored in the memoryusage data structure, without having to interrogate the DP accelerator.Processing logic then allocates the first memory block of the globalmemory to the application, in response to determining that the firstmemory block has not been allocated.

In another embodiment, processing logic further denies the firstrequest, in response to determining that the first memory block has beenallocated. In another embodiment, processing logic further receives asecond request from the application to deallocate a second memory blockfrom the global memory of the DP accelerator. In response to the secondrequest, processing logic determines whether the second memory block hasbeen allocated to the application based on the memory usage informationstored in the memory usage data structure. Processing logic deallocatesthe second memory block from the global memory, in response todetermining that the second memory block has been allocated to theapplication, and otherwise denies the second request.

FIG. 20 is a block diagram illustrating an example of a hostcommunicatively coupled to a DP accelerator according to one embodiment.System 2000 may represent system 900 of FIG. 9, except system 2000 canprovide root of trust services and timestamp generation services for DPaccelerators 405-407. Referring to FIG. 20, in one embodiment, DPaccelerator 405 includes security unit 1020 and time unit 2003. Securityunit 1020 can provide a root of trust services to other modules/units ofa DP accelerator using a number of encryption schemes while time unit2003 can generate timestamps for authentication of cryptographic keys tosupport different encryption schemes. Note, time unit 2003 may be astandalone unit or may be integrated with security unit 1020.

In one embodiment, security unit 1020 requires a secure time source tokeep track when cryptographic keys have been authenticated or when asession key has expired. Using a clock signal from an external sourcefor security unit 1020 can be unsecure. For example, a clock frequencyof a clock of the external source can be adjusted or a power supply tothe clock can be tampered to prolong a session key beyond an intendedtime.

FIG. 21 is a block diagram illustrating an example of a time unitaccording to one embodiment. Referring to FIG. 21, time unit 2003 canhave a standalone clock generation and a standalone power supply for asecure clock signal. Time unit 2003 can include clock generator 2101,local oscillator 2103, counter(s) 2105, power supply 2107, clockcalibrator 2109, and timestamp generator 2111. Clock generator 2101 cangenerate a clock signal locally without having to derive a clock signalfrom an external source. Local oscillator 2103 can be coupled to clockgenerator 2101 to provide a precise pulse signal. For example, localoscillator 2103 can include a crystal oscillator which can provide pulsesignals having an accuracy greater than a certain threshold, e.g., 1count per microsecond. Counter(s) 2105 can be coupled to clock generator2101 to count one or more count value based on a clock signal generatedfrom clock generator 2101. Power supply 2107 can provide a power toclock generator 2101 and timestamp generator 2111. Clock calibrator 2109can calibrate clock generator 2101. Timestamp generator 2111 can becoupled to the clock generator to generate a timestamp based on a clocksignal.

For example, power supply 2107 can provide a stable and persistent powerthrough a battery such as a dime battery. Here, the dime battery wouldbe situated on a board outside of security unit 1020. In otherembodiments, a circuitry of power supply 2107 is situated outside ofsecurity unit 1020. Local oscillator 2103 can include a high performancecrystal oscillator. Counter(s) can include one or more variable counters(e.g., 8-bit, 16-bit, 32-bit, or 64-bit, etc. variable counters) innon-volatile storage. Non-volatile storage or memory is a type of memorythat has the capability to hold saved data even if the power is turnedoff. Unlike a volatile storage, non-volatile storage does not requireits memory data to be periodically refreshed. In one embodiment, thenon-volatile storage can include a first counter, which can increment by1 for every single signal pulse of local oscillator 2103. The firstcounter can count up to a certain value, and the value can be changed byan external source or by clock calibrator 2109 to adjust the value torepresent a microsecond's signal of a clock signal. The microsecond canthen be accumulated by a second counter to generate a second's signal. Athird counter, a fourth counter, etc., can be used to accumulate aminute, hour, day, month signals, etc. Clock generator 2101 can thengenerate a clock based on the accumulated signals. Based on a clocksignal, timestamp generator can generate a timestamp. The timestamp canthen be formatted for various purposes. Some example timestamp formatsmay be: yyyy-MM-dd HH:mm:ss.SSS, yyyyMMdd.HHmmssSSS, and yyyy/MM/ddHH:mm:ss. In one embodiment, a converter can convert the timestamp fromone format to another. In another embodiment, clock calibrator 2109initially calibrates the clock generation signal to match an externalsource (e.g., an atomic clock) at a manufacturing phase of the DPaccelerator.

Next, a security unit, such as security unit 1020 of DP accelerator, canrequest time unit 2003 to generate a timestamp on a per need basis. Thetimestamp can then be used by security unit 1020 to time stampcryptographic key authentications, key generations, and/or keyexpirations. For example, if a session key is determined to be expired,based on a timestamp associated with when the session key is generated,a channel session associated with the session key may be terminated.Subsequently, a new session key may be generated if the session key isconfigured to be automatically renewed or a renewal authorization isobtained through a user application.

FIG. 22 is a block diagram illustrating an example of a security unitaccording to one embodiment. Security unit 1020 can be used by a DPaccelerator to establish and maintain a secure channel with a hostserver/system to exchange commands and data. Referring to FIG. 22,security unit 1020 can include key manager 1025, cryptography engine1029, key(s) store 1027, which can include endorsement key (EK) 2209,volatile storage 2207, non-volatile storage 2205, processor(s) 2203, andrandom number generator 2201. Random number generator 2201 can generatea random number, such as a nonce. In one embodiment, random numbergenerator 2201 can generate a random number based on a seed input, e.g.,a timestamp. Cryptography engine 1029 can perform cryptographicoperations, e.g., encryption and decryption. Non-volatile storage 2205and volatile storage 2207 can be storage areas for security unit 1020.Key(s) store 1027 can be a key storage area of security unit 1020 whichcan safe keep a unique endorsement credential (EC) or endorsement key(EK) 2209. Here, EC or EK refers to a public key (e.g., PK_RK) of apublic/private encryption root key pair (e.g., PK_RK and SK_RK) that israndomly generated and embedded in the security unit 1020 at the time ofmanufacturing. The private root key (e.g., SK_RK) corresponding to theEK may also be embedded in non-volatile storage 2205, however theprivate root key is never released outside of security unit 1020. Anexample key pair can be a 2048-bit RSA cryptographic key pair.

During a manufacturing/testing phase, a DP accelerator can be internallytested and configured and EK 2209 can be generated and embedded securityunit 1020. In one embodiment, EK 2209 can be uploaded onto a trustedcertification server where the public key or EK can be signed and asigned certificate of the EK can be used to verify that the EK isgenuine. Here, the certification server can be a government endorsementserver, a third-party trusted authentication server, or a local server.

During a deployment phase, after a DP accelerator is powered on, EK 2209can be read from security unit 1020 and EK 2209 can be verified locallyor through a certification server as genuine. A DP accelerator would betreated as genuine once EK verification is successful. The verified EK,as well as the private root key internal to security unit 1020, can thenbe used to derive other cryptographic keys, such as a channel sessionkey as described above, or temporary public/private key pairs (e.g.,PK_d and SK_d), etc.

Runtime kernels or kernels (or kernel objects) refer to mathematical orcomputational functions used to support operations of a DP accelerator.A kernel may be a math function called by a user application. For someembodiments, kernels may be uploaded from a host server or other serversto a DP accelerator to be executed by the DP accelerator. An examplekernel may be a matrix multiplication kernel, which supports a matrixmultiplication operation to be executed by the DP accelerator. Note thatthere can be hundreds of kernels, each dedicated to support a differentmathematical or computational function to be executed by the DPaccelerator. Keeping track of a source of kernels, which kernels areuploaded to a DP accelerator, and which are modified can be challenging.Thus, a kernel validation (or verification) and a kernel attestationprotocol or schemes are needed to ensure genuine sources and integrityof the kernels.

FIG. 23 is a block diagram illustrating an example of a host servercommunicatively coupled to a DP accelerator to validate kernel objectsaccording to one embodiment. System 2300 may be system 900 of FIG. 9.Referring to FIG. 23, in one embodiment, host server 104 includes TEE201 which includes user application 203 and runtime libraries 205.Runtime libraries 205 can include kernel verifier module 2301 and kernelcertificates store 2303. Kernel certificates store 2303 can storecertificates for kernels (or simply a list of public keys) listed bykernel identifiers, where the certificates can be signed by trustedcertification authorities (CAs) or a local trusted server. Kernelverifier module 2301 can verify a signed kernel object based on kernelcertificates information from kernel certificates store 2303.

Host server 104 can be communicatively coupled to persistent storagedevices (e.g., storage disks) 2305 and DP accelerators 405-407. Notethat persistent storage devices 2305 may be part of host server 104 ormay be a remote storage unit. Persistent storage devices 2305 caninclude kernel objects 2307. Because kernel objects 2307 may come fromremote sources, signing the kernel objects ensure the objects are from atrusted source. A kernel object can refer to an object that includes abinary file for a kernel. In one embodiment, each kernel objects ofkernel objects 2307 includes an executable image of the kernel and acorresponding signature. Furthermore, the executable image of the kernelmay be encrypted. Note that a signature is a hash of a kernel signedusing a private key of a public/private kernel key pair corresponding tothe kernel object. The signature can be verified using a public keycorresponding to the private key that was used to sign the kernel. E.g.,the public key can be obtained from a kernel certificate for the kernelobject). In some embodiments, the kernel objects are signed (using aprivate key of the kernel developer) as kernel developers initiallygenerate the kernels. The signed kernels can then include correspondingkernel certificates (e.g. public keys) for verification (or validation)to ensure the kernels are genuine.

FIG. 24 is a flow chart illustrating an example kernel objectsverification protocol according to one embodiment. Kernel objectsverification refers to validation of kernel objects 2307 to be genuinebefore introducing kernel objects 2307 into TEE 201 of host server 104and/or DP accelerator 405. Example 2400 can be performed by system 2300of FIG. 23. In one embodiment, before verification, user application 203(or runtime libraries 205) obtains a list of public keys, e.g., PK_i,PK_j . . . , PK_n, from certificates of trusted certificationauthorities or trusted signers, where corresponding private keys, e.g.,SK_i, SK_j, . . . , SK_n are private keys of kernel developers that wereused to sign kernel objects 2307. In one embodiment, when userapplication 203 (or runtime libraries 205) invokes a kernel (identifiedby a kernel identifier) to be executed by DP accelerator 405 (or anyother DP accelerators), user application 203 (or runtime libraries 205)determines if the kernel has already been updated onto DP accelerator405. If not, host server 104 performs operations 2400 to verify thekernel before uploading the kernel to DP accelerator 405 according toone embodiment. Note that runtime libraries 205 may invoke a chain ofkernels, if invoking one kernel invokes other kernels.

In operation 2401, user application 203 (or runtime libraries 205) (aspart of TEE 201) requests the kernel (as part of kernel objects 2307) tobe loaded onto OS 211 based on a kernel identifier (ID). In oneembodiment, the kernel ID can be a global unique identifier e.g., GUIDor UUID. In one embodiment, a kernel object includes a kernel (e.g., anexecutable image), a kernel ID, and a signature for the kernel. Thesignature can be an encrypted hash of the kernel. In another embodiment,the kernel object includes an encrypted kernel (e.g., an encryptedexecutable image). In operation 2402, OS 211 retrieves the kernel objectfrom persistent storage 2305 by kernel ID. In operation 2403, OS 211sends kernel object back to TEE 201 of host server 104. In operation2404, kernel verifier module 2301 retrieves a kernel certificate fromkernel certificates store 2303 correspond to the kernel ID and verifieswhether the kernel object is genuine. In one embodiment, verifying akernel includes applying a public key to a signature of the kernelobject to decrypt the signature to generate an expected hash value.Kernel verifier module 2301 then generates a hash value for the kernel,and compares to determine a difference of the expected hash value to thegenerated hash value. If there is no difference, the signature is valid.If the signature is valid then integrity of the kernel is verified, andthe kernel object is deemed genuine and sourced by a trusted developer.In another embodiment, verifying a kernel includes applying a public keyto an encrypted executable image of the kernel to decrypt and obtain thekernel, if the kernel is encrypted.

In operation 2405, if the kernel (e.g., executable image) is verified tobe trusted then, in operation 2406, the kernel object is sent, by TEE201 of host server 104, to DP accelerator 405. Thereafter, the invokedkernel can be executed by one or more execution unit(s) of DPaccelerator 405.

FIG. 25 is a flow diagram illustrating an example of a method accordingto one embodiment. Process 2500 may be performed by processing logicwhich may include software, hardware, or a combination thereof. Forexample, process 2500 may be performed by host system, such as host 104of FIG. 23. Referring to FIG. 25, at block 2501, processing logicreceives, at a runtime library executed within a trusted executionenvironment (TEE) of a host system, a request from an application toinvoke a predetermined function to perform a predefined operation. Atblock 2502, in response to the request, processing logic identifies akernel object associated with the predetermined function. At block 2503,processing logic verifies an executable image of the kernel object usinga public key corresponding to a private key that was used to sign theexecutable image of the kernel object. At block 2504, in response tosuccessfully verifying the executable image of the kernel object,processing logic transmits the verified executable image of the kernelobject to a data processing (DP) accelerator over a bus to be executedby the DP accelerator to perform the predefined operation.

In one embodiment, the runtime library is configured to verify thekernel object by decrypting a signature of the kernel object using thepublic key corresponding to the private key, where the kernel object isto be transmitted to the DP accelerator in an unencrypted form. Inanother embodiment, processing logic further verifies an integrity ofthe kernel object by hashing the executable image of the kernel objectusing a predetermined hash function.

In one embodiment, the kernel object is stored in an unsecure locationof a persistent storage device. In another embodiment, the kernel objectis one of many kernel objects stored in the persistent storagedevice(s), where the runtime library maintains a list of public keysassociated with the kernel objects respectively that are used to verifythe kernel objects.

In one embodiment, the DP accelerator comprises one or more executionunits configured to execute the executable image of the kernel object toon behalf of the application in a distributed manner. In one embodiment,the public key was obtained from a trusted server and the public key wasprovided by a provider of the kernel object, and where the kernel objectincludes a signature signed by the provider using the private key.

FIG. 26 is a block diagram illustrating an example of a host servercommunicatively coupled to a DP accelerator for kernels attestationaccording to one embodiment. Kernels attestation includes verifying anintegrity of a kernel which has been already uploaded onto a DPaccelerator, so to ensure the kernel has not been modified by some thirdparty in transmission. The integrity of the kernel can be verifiedthrough verifying a signature for the kernel. System 2600 may be system900 of FIG. 9. Referring to FIG. 26, in one embodiment, host server 104includes TEE 201 which includes user application 203, runtime libraries205, attestation module 2601, and kernel digests store 2603. Kerneldigests store 2603 can store a number of kernel digests corresponding tokernels already uploaded onto different DP accelerators. In oneembodiment, a kernel digest refers to a non-cryptographic hash of akernel, or any type of function of the kernel (e.g., checksum, CRC,etc.). Kernel digests store 2603 can also store a mapping of kernel IDs,DP accelerator IDs for the kernel digests. The mappings can identifywhich kernels have already been uploaded to which DP accelerators. Basedon kernel digests information from kernel digests store 2603,attestation module 2601 can attest a kernel based on kernel digestsinformation from kernel digests store 2603.

Referring to FIG. 26, DP accelerator 405 can include security unit 1020,attestation unit 2605, execution units 2607, and storage devices 2609.Storage devices 2609 can include kernel objects 2611. Attestation unit2605 can communicate with attestation module 2601 via an attestationprotocol. Storage devices 2609 can be one or more storage devicesstoring kernel objects 2611. Kernel objects 2611 may include one or morekernels (and corresponding kernel IDs) previously uploaded to DPaccelerator 405. Execution units 2607 can execute one or more invokedkernels from kernel objects 2611.

In one embodiment, user application 203 (or runtime libraries 205) candetermine if a kernel object has already been updated onto DPaccelerator 405 by generating a kernel digest to query if the generatedkernel digest is found in the kernel digests information from kerneldigests store 2603 to determine if the kernel already resides on a DPaccelerator. Alternatively, a kernel ID can be queried to determine ifthe kernel already resides on a DP accelerator. If found, thenattestation begins, otherwise user application 203 (or runtime libraries205) verifies the kernel object (as described above) and generates akernel digest for the kernel to be stored in kernel digests store 2603.User application 203 (or runtime libraries 205) then uploads a copy ofthe kernel binary file onto the DP accelerator. In a subsequentexecution sessions, the kernel can be attested by the user application(or runtime library) in response to invocation of the kernel.

FIG. 27 is a flow chart illustrating an example attestation protocolaccording to one embodiment. In one embodiment, example 2700 can beperformed between attestation module 261 of host server 104 andattestation unit 2605 of DP accelerator 405 of FIG. 26. Referring toFIG. 27, in operation 2701, host server 104 requests an attestation keyfrom DP accelerator 405. In operation 2702, in response to the request,DP accelerator 405 generates a public/private attestation key pair(e.g., PK_ATT, SK_ATT) and signs PK_ATT with a private root key (e.g.,SK_RK) associated with DP accelerator 405.

In operation 2703, DP accelerator 405 sends a message with the PK_ATTand signed (PK_ATT) back to host server 104. In operation 2704, hostserver 104 receives the message, decrypts the signed PK_ATT using apublic root key (e.g., PK_RK) associated with DP accelerator 405, andcompares the received PK_ATT and the decrypted PK_ATT to verify thesigned PK_ATT. In one embodiment, the host system has previouslyreceived the PK_RK associated with the DP accelerator from the DPaccelerator or from a trusted server over a network. If the receivedPK_ATT matches the decrypted PK_ATT, host server 104 has verified thatthe PK_ATT is indeed generated by DP accelerator 405. Note, operations2701-2704 can be performed for attestation at any time before operation2705. In other words, a same attestation key can be used for apredetermined period of time, e.g., a week, and the attestation key isnot related to any attested kernel, e.g., the attestation key can beused for many kernels.

In operation 2705, host server 104 sends a command ‘CMD_DO_ATTESTATION’together with a kernel ID of a kernel to DP accelerator 405 to requestsfor a quote. In operation 2706, in response to receiving the commandrequest, DP accelerator 405 measures kernel integrity of the kernel. Inone embodiment, the executable image of the kernel (as part of kernelobjects 2611) is hashed to generate a kernel digest. The kernel digesttogether with a timestamp is then signed with SK_ATT. Here, thetimestamp can be generated by a time unit such as time unit 2003 of FIG.20.

In operation 2707, DP accelerator 405 sends a message with the signedkernel digest together with the timestamp to host server 104. Inoperation 2708, in response to receiving the message, host server 104decrypts the signed kernel digest together with the timestamp usingPK_ATT. Host server 104 then checks the timestamp to verify that themessage has not elapsed for more than a predetermined time period (e.g.,a day). Host server 104 then verifies that the kernel digest belongs toa kernel previous uploaded to DP accelerator. In one embodiment, hostserver 104 queries the receive kernel digest from the kernel digestsinformation from kernel digests store 2603. If an entry matching a DPaccelerator ID of DP accelerator 405 is found then the kernelattestation is successful. Otherwise, the attestation fails. Inoperation 2709, host server 104 can send the attestation or verificationresults to DP accelerator 405. Based on the results, the kernel isallowed or denied to be executed by an execution unit of DP accelerator405.

FIGS. 28A and 28B are flow diagrams illustrating example methodsaccording to some embodiments. Processes 2800 and 2820 may be performedby processing logic which may include software, hardware, or acombination thereof. For example, process 2800 may be performed by hostserver 104 and process 2820 may be performed by DP accelerator 405 ofFIG. 26. Referring to FIG. 28A, at block 2801, processing logic receivesat a host system a public attestation key (PK_ATT) or a signed PK_ATTfrom a data processing (DP) accelerator over a bus. At block 2802,processing logic verifies the PK_ATT using a public root key (PK_RK)associated with the DP accelerator. At block 2803, in response tosuccessfully verifying the PK_ATT, processing logic transmits a kernelidentifier (ID) to the DP accelerator to request attestation of a kernelobject stored in the DP accelerator. At block 2804, in response toreceiving a kernel digest or a signed kernel digest corresponding to thekernel object form the DP accelerator, processing logic verifies thekernel digest using the PK_ATT. At block 2805, processing logic sendsthe verification results to the DP accelerator for the DP accelerator toaccess the kernel object based on the verification results.

In one embodiment, processing logic further transmits a request forattestation to the DP accelerator, where the DP accelerator generates anattestation key pair having the PK_ATT and a private attestation key(SK_ATT), in response to the request for attestation. Processing logicthen receives from the DP accelerator an encrypted PK_ATT signed using aprivate root key (SK_RK) of the DP accelerator. In another embodiment,processing logic further decrypts at the host system the encryptedPK_ATT using a public root key (PK_RK) associated with the DPaccelerator, and verifies that the PK_ATT received from the DPaccelerator is identical to the decrypted PK_ATT. In one embodiment, thepublic root key (PK_RK) associated with the DP accelerator may bereceived by host server 104 come from a trusted server over a network.

In one embodiment, the kernel digest is generated by hashing anexecutable image of the kernel object by the DP accelerator. In anotherembodiment, the kernel digest is signed using a private attestation key(SK_ATT) corresponding to the PK_ATT. In another embodiment, the kerneldigest is signed together with a timestamp generated at a point in time,where the timestamp is utilized by the host system to verify that thekernel digest was generated within a predetermined period of time. Inone embodiment, the host system receives the PK_RK associated with theDP accelerator from a predetermined trusted server over a network.

Referring to FIG. 28B, in block 2821, in response to an attestationrequest received from a host system, processing logic generates at adata processing (DP) accelerator an attestation key pair having a publicattestation key (PK_ATT) and a private attestation key (SK_ATT). Atblock 2822, processing logic transmits the PK_ATT or a signed PK_ATTfrom the DP accelerator to the host system, where the DP accelerator iscoupled to the host system over a bus. At block 2823, processing logicreceives a kernel identifier (ID) identifying a kernel object from thehost system, where the kernel ID is received in response to successfulverification of the PK_ATT. At block 2824, processing logic generates akernel digest by hashing an executable image of the kernel object inresponse to the kernel ID. At block 2825, processing logic transmits thekernel digest or a signed kernel digest to the host system to allow thehost system to verify and attest the kernel object before accessing thekernel object to be executed within the DP accelerator.

In one embodiment, processing logic further signs the PK_ATT using aprivate root key (SK_RK) associated with the DP accelerator and sendsthe signed PK_ATT to the host system to allow the host system to verifythat the PK_ATT come from the DP accelerator. In another embodiment, thehost system is configured to decrypt the signed PK_ATT using a publicroot key (PK_RK) corresponding to the SK_RK and verify the PK_ATT bycomparing the PK_ATT received from the DP accelerator and the decryptedPK_ATT.

In one embodiment, processing logic further signs the kernel digestusing the SK_ATT and sends the signed kernel digest to the host systemto allow the host system to verify that the kernel digest is sent by theDP accelerator. In another embodiment, the host system is configured todecrypt the signed kernel digest using the PK_ATT and verify the kerneldigest by comparing the kernel digest received from the DP acceleratorand the decrypted kernel digest. In another embodiment, processing logicfurther generates a timestamp and signs the kernel digest together withthe timestamp, where the timestamp is utilized by the host system toverify freshness of the kernel digest.

The DP accelerators communicatively coupled to a host server can befurther validated to be the DP accelerators to be expected by the hostserver. The assurance can be achieved by ways of a third party trustedserver and/or certification authority.

FIG. 29 is a block diagram illustrating an example of a host servercommunicatively coupled to trusted server and a DP accelerator accordingto one embodiment. DP accelerator validation refers to verifying acertificate of the DP accelerator from a trusted server. The trustedserver can be a third party certification authority or a local server.System 2900 may be system 900 of FIG. 9. Referring to FIG. 29, in oneembodiment, host server 104 includes TEE 201, which includes keyverification module 2901 and PK_RK(s) 2903. PK_RK(s) 2903 can storepublic keys associated with DP accelerators. Key verification module2901 can verify a public key for a DP accelerator via a trusted server,such as trusted server 2921. Trusted server 2921 can include DPaccelerator certificates 2923.

Referring to FIG. 29, DP accelerator can include security unit 1020which can include key verification unit 2905 and storage 2913. Storage2913 can include SK_RK 2907, accelerator ID (e.g., serial number and/orUUID) 2909, and version number 2911. Version number can denote afirmware version for DP accelerator 405, and the version number can beupdated according to a firmware version of DP accelerator 405. Keyverification unit 2905 can communicate with a key verification module,such as key verification module 2901 of host server 104, to provideinformation about the DP accelerator (e.g., accelerator ID 2909 and/orversion number 2911) to host server 104.

As a preliminary matter, in one embodiment, host server 104 may alreadyhave a copy of PK_RK associated with DP accelerator 405. However, whenDP accelerator 405 is initially introduced to host server 104 or when DPaccelerator 405 is reintroduced, a PK_RK for DP accelerator 405 may needto be validated or re-validated for host server 104.

FIG. 30 is a flow chart illustrating an example DP acceleratorvalidation protocol according to one embodiment. Protocol 3000 can be anexample embodiment to validate a PK_RK for DP accelerator 405. Referringto FIGS. 29-30, protocol 3000 can be performed between key verificationmodule 2901 of host server 104 and key verification unit 2905 of DPaccelerator 405.

Referring to FIG. 30, in operation 3001, host server 104 requests anaccelerator ID from accelerator 405. In operation 3002, in response tothe request, DP accelerator 405 returns accelerator ID 2909 to hostserver 104 (e.g., a serial number or a UUID of the DP accelerator). Inoperation 3003, host server 104 sends the received accelerator ID totrusted server 2921. Here, trusted server 2921 may be a certificationauthority, a third party trusted server or a local trusted server withcertificate information about DP accelerator 405. In operation 3004, inresponse to the request, trusted server 2921 sends a certificateassociated with the accelerator ID of DP accelerator 405 to host server104.

In operation 3005, host server 104 extracts the certificate information(e.g., a public key PK_RK) from the certificate associated with theaccelerator ID and stores the certificate information along with theaccelerator ID in local storage, e.g., PK_RK(s) 2903. In one embodiment,the extracted PK_RK may be verified against an existing PK_RK for DPaccelerator 405 (e.g., the existing PK_RK as part of PK_RK(s) 2903)which may have been previously obtained for DP accelerator 405.Optionally, the certificate information can be verified by verifying acertificate chain of the trusted server 2921. A certificate chain is anordered list of certificates that enables a receiver to verify that asender and the trusted server (e.g., a certificate authority) aretrustworthy. In operation 3006, based on the verification and/or thecertificate information, e.g., PK_RK, host server 104 then requests asecure connection (e.g., one or more secure channels) to be establishedwith DP accelerator 405.

Note that thereafter, host server 104 can use the PK_RK to decryptsecure messages sent by DP accelerator 405, where the secure messagesare encrypted by SK_RK. These messages can include verification messagesassociated with attestation key pairs (e.g., PK_ATT, SK_ATT), to verifya signature for a public attestation key to attest a kernel objectstored in the DP accelerator, as described above. The messages can alsoinclude verification messages for temporary public/private key pairs(e.g., PK_d, SK_d), and session keys for DP accelerator 405, asdescribed above. In some embodiments, a randomly generated numbertogether with version number 2911 of FIG. 29, can be used to generatethe attestation key pairs and the temporary public/private key pairs. Inthis case, if the version number 2911 is updated, e.g., due to afirmware upgrade, the attestation key pairs and temporary public/privatekey pairs for a session would expire.

The DP accelerator can generate public/private attestation key pairs(e.g., PK_ATT, SK_ATT) further based on a version number (version number2911 of FIG. 29) of the accelerator and/or a random number generated bya random number generator. Similarly, temporary public/private key pairs(e.g., PK_d, SK_d, where SK_d is used to establish a session keyassociated with a communication session between the host system and theDP accelerator) can be generated further based on a version number(version number 2911 of FIG. 29) of the accelerator and/or a randomnumber generated by a random number generator.

FIG. 31 is a flow diagram illustrating an example of a method accordingto one embodiment. Process 3100 may be performed by processing logicwhich may include software, hardware, or a combination thereof. Forexample, process 3100 may be performed by host system, such as host 104of FIG. 29. Referring to FIG. 31, at block 3101, processing logicreceives, at a host system from a DP accelerator, an accelerator ID thatuniquely identifies the DP accelerator, where the host system is coupledto the DP accelerator over a bus. At block 3102, processing logictransmits the accelerator ID to a predetermined trusted server over anetwork. At block 3103, process logic receives a certificate from thepredetermined trusted server over the network, where the certificateincludes a public key (PK_RK) associated with the DP accelerator. Atblock 3104, optionally, in one embodiment, processing logic verifies thecertificate is associated with the predetermined trusted server, e.g.,by verifying a certificate chain for the trusted server. At block 3105,process logic extracts the public root key (PK_RK) from the certificate,and verifies the extracted PK_RK with a PK_RK previously sent by the DPaccelerator, to certify that the DP accelerator is indeed the DPaccelerator it is claiming to be. At block 3106, processing logicestablishes a secure channel with the DP accelerator using the PK_RKbased on the verification to exchange data securely between the hostsystem and the DP accelerator.

In one embodiment, the DP accelerator includes one or more executionunits operable to perform data processing operations on behalf of anapplication hosted within the host system. In one embodiment, thepredetermined trusted server is associated with a provider of theapplication. In one embodiment, the predetermined trusted server isassociated with a provider of the DP accelerator. In one embodiment, thePK_RK is further utilized to verify a signature generated for the DPaccelerator.

In another embodiment, the PK_RK is utilized by the host system toestablish a session key associated with a communication session betweenthe host system and the DP accelerator. In another embodiment, the PK_RKis utilized by the host system to verify a signature for a publicattestation key to attest a kernel object stored in the DP accelerator.

Note that some or all of the components as shown and described above maybe implemented in software, hardware, or a combination thereof. Forexample, such components can be implemented as software installed andstored in a persistent storage device, which can be loaded and executedin a memory by a processor (not shown) to carry out the processes oroperations described throughout this application. Alternatively, suchcomponents can be implemented as executable code programmed or embeddedinto dedicated hardware such as an integrated circuit (e.g., anapplication specific IC or ASIC), a digital signal processor (DSP), or afield programmable gate array (FPGA), which can be accessed via acorresponding driver and/or operating system from an application.Furthermore, such components can be implemented as specific hardwarelogic in a processor or processor core as part of an instruction setaccessible by a software component via one or more specificinstructions.

FIG. 32 is a block diagram illustrating an example of a data processingsystem which may be used with one embodiment of the invention. Forexample, system 1500 may represent any of data processing systemsdescribed above performing any of the processes or methods describedabove, such as, for example, a client device or a server describedabove, such as, for example, clients 101-102, and server 104, asdescribed above.

System 1500 can include many different components. These components canbe implemented as integrated circuits (ICs), portions thereof, discreteelectronic devices, or other modules adapted to a circuit board such asa motherboard or add-in card of the computer system, or as componentsotherwise incorporated within a chassis of the computer system.

Note also that system 1500 is intended to show a high level view of manycomponents of the computer system. However, it is to be understood thatadditional components may be present in certain implementations andfurthermore, different arrangement of the components shown may occur inother implementations. System 1500 may represent a desktop, a laptop, atablet, a server, a mobile phone, a media player, a personal digitalassistant (PDA), a Smartwatch, a personal communicator, a gaming device,a network router or hub, a wireless access point (AP) or repeater, aset-top box, or a combination thereof. Further, while only a singlemachine or system is illustrated, the term “machine” or “system” shallalso be taken to include any collection of machines or systems thatindividually or jointly execute a set (or multiple sets) of instructionsto perform any one or more of the methodologies discussed herein.

In one embodiment, system 1500 includes processor 1501, memory 1503, anddevices 1505-1508 via a bus or an interconnect 1510. Processor 1501 mayrepresent a single processor or multiple processors with a singleprocessor core or multiple processor cores included therein. Processor1501 may represent one or more general-purpose processors such as amicroprocessor, a central processing unit (CPU), or the like. Moreparticularly, processor 1501 may be a complex instruction set computing(CISC) microprocessor, reduced instruction set computing (RISC)microprocessor, very long instruction word (VLIW) microprocessor, orprocessor implementing other instruction sets, or processorsimplementing a combination of instruction sets. Processor 1501 may alsobe one or more special-purpose processors such as an applicationspecific integrated circuit (ASIC), a cellular or baseband processor, afield programmable gate array (FPGA), a digital signal processor (DSP),a network processor, a graphics processor, a network processor, acommunications processor, a cryptographic processor, a co-processor, anembedded processor, or any other type of logic capable of processinginstructions.

Processor 1501, which may be a low power multi-core processor socketsuch as an ultra-low voltage processor, may act as a main processingunit and central hub for communication with the various components ofthe system. Such processor can be implemented as a system on chip (SoC).Processor 1501 is configured to execute instructions for performing theoperations and steps discussed herein. System 1500 may further include agraphics interface that communicates with optional graphics subsystem1504, which may include a display controller, a graphics processor,and/or a display device.

Processor 1501 may communicate with memory 1503, which in one embodimentcan be implemented via multiple memory devices to provide for a givenamount of system memory. Memory 1503 may include one or more volatilestorage (or memory) devices such as random access memory (RAM), dynamicRAM (DRAM), synchronous DRAM (SDRAM), static RAM (SRAM), or other typesof storage devices. Memory 1503 may store information includingsequences of instructions that are executed by processor 1501, or anyother device. For example, executable code and/or data of a variety ofoperating systems, device drivers, firmware (e.g., input output basicsystem or BIOS), and/or applications can be loaded in memory 1503 andexecuted by processor 1501. An operating system can be any kind ofoperating systems, such as, for example, Windows® operating system fromMicrosoft®, Mac OS/iOS from Apple, Android® from Google®, Linux®, Unix®,or other real-time or embedded operating systems such as VxWorks.

System 1500 may further include 10 devices such as devices 1505-1508,including network interface device(s) 1505, optional input device(s)1506, and other optional 10 device(s) 1507. Network interface device1505 may include a wireless transceiver and/or a network interface card(NIC). The wireless transceiver may be a WiFi transceiver, an infraredtransceiver, a Bluetooth transceiver, a WiMax transceiver, a wirelesscellular telephony transceiver, a satellite transceiver (e.g., a globalpositioning system (GPS) transceiver), or other radio frequency (RF)transceivers, or a combination thereof. The NIC may be an Ethernet card.

Input device(s) 1506 may include a mouse, a touch pad, a touch sensitivescreen (which may be integrated with display device 1504), a pointerdevice such as a stylus, and/or a keyboard (e.g., physical keyboard or avirtual keyboard displayed as part of a touch sensitive screen). Forexample, input device 1506 may include a touch screen controller coupledto a touch screen. The touch screen and touch screen controller can, forexample, detect contact and movement or break thereof using any of aplurality of touch sensitivity technologies, including but not limitedto capacitive, resistive, infrared, and surface acoustic wavetechnologies, as well as other proximity sensor arrays or other elementsfor determining one or more points of contact with the touch screen.

IO devices 1507 may include an audio device. An audio device may includea speaker and/or a microphone to facilitate voice-enabled functions,such as voice recognition, voice replication, digital recording, and/ortelephony functions. Other IO devices 1507 may further include universalserial bus (USB) port(s), parallel port(s), serial port(s), a printer, anetwork interface, a bus bridge (e.g., a PCI-PCI bridge), sensor(s)(e.g., a motion sensor such as an accelerometer, gyroscope, amagnetometer, a light sensor, compass, a proximity sensor, etc.), or acombination thereof. Devices 1507 may further include an imagingprocessing subsystem (e.g., a camera), which may include an opticalsensor, such as a charged coupled device (CCD) or a complementarymetal-oxide semiconductor (CMOS) optical sensor, utilized to facilitatecamera functions, such as recording photographs and video clips. Certainsensors may be coupled to interconnect 1510 via a sensor hub (notshown), while other devices such as a keyboard or thermal sensor may becontrolled by an embedded controller (not shown), dependent upon thespecific configuration or design of system 1500.

To provide for persistent storage of information such as data,applications, one or more operating systems and so forth, a mass storage(not shown) may also couple to processor 1501. In various embodiments,to enable a thinner and lighter system design as well as to improvesystem responsiveness, this mass storage may be implemented via a solidstate device (SSD). However in other embodiments, the mass storage mayprimarily be implemented using a hard disk drive (HDD) with a smalleramount of SSD storage to act as a SSD cache to enable non-volatilestorage of context state and other such information during power downevents so that a fast power up can occur on re-initiation of systemactivities. Also a flash device may be coupled to processor 1501, e.g.,via a serial peripheral interface (SPI). This flash device may providefor non-volatile storage of system software, including a basicinput/output software (BIOS) as well as other firmware of the system.

Storage device 1508 may include computer-accessible storage medium 1509(also known as a machine-readable storage medium or a computer-readablemedium) on which is stored one or more sets of instructions or software(e.g., module, unit, and/or logic 1528) embodying any one or more of themethodologies or functions described herein. Processingmodule/unit/logic 1528 may represent any of the components describedabove, such as, for example, host server 104 of FIG. 2, runtimelibraries 205 of FIG. 2, DP accelerator 405 of FIG. 4, IO manager 401 orIO interface 415 of FIG. 4, HCM 901 or ACM 915 of FIGS. 9 and 14, and MM1701 of FIG. 17, security unit 1020 and time unit 2003 of FIG. 20, asdescribed above. Processing module/unit/logic 1528 may also reside,completely or at least partially, within memory 1503 and/or withinprocessor 1501 during execution thereof by data processing system 1500,memory 1503 and processor 1501 also constituting machine-accessiblestorage media. Processing module/unit/logic 1528 may further betransmitted or received over a network via network interface device1505.

Computer-readable storage medium 1509 may also be used to store the somesoftware functionalities described above persistently. Whilecomputer-readable storage medium 1509 is shown in an exemplaryembodiment to be a single medium, the term “computer-readable storagemedium” should be taken to include a single medium or multiple media(e.g., a centralized or distributed database, and/or associated cachesand servers) that store the one or more sets of instructions. The terms“computer-readable storage medium” shall also be taken to include anymedium that is capable of storing or encoding a set of instructions forexecution by the machine and that cause the machine to perform any oneor more of the methodologies of the present invention. The term“computer-readable storage medium” shall accordingly be taken toinclude, but not be limited to, solid-state memories, and optical andmagnetic media, or any other non-transitory machine-readable medium.

Processing module/unit/logic 1528, components and other featuresdescribed herein can be implemented as discrete hardware components orintegrated in the functionality of hardware components such as ASICS,FPGAs, DSPs or similar devices. In addition, processingmodule/unit/logic 1528 can be implemented as firmware or functionalcircuitry within hardware devices. Further, processing module/unit/logic1528 can be implemented in any combination hardware devices and softwarecomponents.

Note that while system 1500 is illustrated with various components of adata processing system, it is not intended to represent any particulararchitecture or manner of interconnecting the components; as suchdetails are not germane to embodiments of the present invention. It willalso be appreciated that network computers, handheld computers, mobilephones, servers, and/or other data processing systems which have fewercomponents or perhaps more components may also be used with embodimentsof the invention.

Some portions of the preceding detailed descriptions have been presentedin terms of algorithms and symbolic representations of operations ondata bits within a computer memory. These algorithmic descriptions andrepresentations are the ways used by those skilled in the dataprocessing arts to most effectively convey the substance of their workto others skilled in the art. An algorithm is here, and generally,conceived to be a self-consistent sequence of operations leading to adesired result. The operations are those requiring physicalmanipulations of physical quantities.

It should be borne in mind, however, that all of these and similar termsare to be associated with the appropriate physical quantities and aremerely convenient labels applied to these quantities. Unlessspecifically stated otherwise as apparent from the above discussion, itis appreciated that throughout the description, discussions utilizingterms such as those set forth in the claims below, refer to the actionand processes of a computer system, or similar electronic computingdevice, that manipulates and transforms data represented as physical(electronic) quantities within the computer system's registers andmemories into other data similarly represented as physical quantitieswithin the computer system memories or registers or other suchinformation storage, transmission or display devices.

The techniques shown in the figures can be implemented using code anddata stored and executed on one or more electronic devices. Suchelectronic devices store and communicate (internally and/or with otherelectronic devices over a network) code and data using computer-readablemedia, such as non-transitory computer-readable storage media (e.g.,magnetic disks; optical disks; random access memory; read only memory;flash memory devices; phase-change memory) and transitorycomputer-readable transmission media (e.g., electrical, optical,acoustical or other form of propagated signals—such as carrier waves,infrared signals, digital signals).

The processes or methods depicted in the preceding figures may beperformed by processing logic that comprises hardware (e.g. circuitry,dedicated logic, etc.), firmware, software (e.g., embodied on anon-transitory computer readable medium), or a combination of both.Although the processes or methods are described above in terms of somesequential operations, it should be appreciated that some of theoperations described may be performed in a different order. Moreover,some operations may be performed in parallel rather than sequentially.

In the foregoing specification, embodiments of the invention have beendescribed with reference to specific exemplary embodiments thereof. Itwill be evident that various modifications may be made thereto withoutdeparting from the broader spirit and scope of the invention as setforth in the following claims. The specification and drawings are,accordingly, to be regarded in an illustrative sense rather than arestrictive sense.

What is claimed is:
 1. A computer-implemented method for keydistribution of a data processing accelerator, the method comprising:receiving a request to establish a secure channel between a userapplication and a data processing (DP) accelerator; authenticating theuser application to determine whether the user application haspermission to access resources of the DP accelerator; in response todetermining that the user application has permission to access theresources of the DP accelerator and in response to the user applicationinvoking a kernel object that is not residing on the DP accelerator:receiving, at a host system from the DP accelerator, an acceleratoridentifier (ID) that uniquely identifies the DP accelerator, wherein thehost system is coupled to the DP accelerator over a bus; transmittingthe accelerator ID to a predetermined trusted server over a network;receiving a certificate from the predetermined trusted server over thenetwork, the certificate certifying the DP accelerator; verifying thecertificate by verifying a certificate chain of the predeterminedtrusted server; extracting a public root key (PK_RK) from thecertificate for verification, the PK_RK corresponding to a private rootkey (SK_RK) associated with the DP accelerator; verifying a kernel ofthe kernel object by applying the PK_RK to a signature of the kernelobject resulting in an expected hash value, and comparing the expectedhash value to a hash value of the kernel; establishing a secure channelwith the DP accelerator using the PK_RK based on the verification toexchange data securely between the host system and the DP accelerator;and in response to the kernel being verified; sending the kernel to theDP accelerator for execution.
 2. The method of claim 1, wherein the DPaccelerator includes one or more execution units operable to performdata processing operations on behalf of the user application hostedwithin the host system, and the user application is executing within atrusted execution environment (TEE).
 3. The method of claim 2, whereinthe predetermined trusted server is associated with a provider of theuser application.
 4. The method of claim 1, wherein the predeterminedtrusted server is associated with a provider of the DP accelerator. 5.The method of claim 1, wherein the PK_RK is further utilized to verify asignature generated for the DP accelerator.
 6. The method of claim 5,wherein the PK_RK is utilized by the host system to establish a sessionkey associated with a communication session between the host system andthe DP accelerator, and in response to the user application signaling acompletion of the communication session between the host system and theDP accelerator, the session key associated with the communicationsession is destroyed and a termination message is sent to the DPaccelerator.
 7. The method of claim 6, wherein the PK_RK is utilized bythe host system to verify a signature for a public attestation key toattest a second kernel object that is stored in the DP accelerator,wherein the public attestation key is based at least upon a randomlygenerated number together with a version number of a firmware of the DPaccelerator, and the session key expires in response to a firmware ofthe DP accelerator being upgraded.
 8. A non-transitory machine-readablemedium having instructions stored therein, which when executed by aprocessor, cause the processor to perform operations, the operationscomprising: receiving a request to establish a secure channel between auser application and a data processing (DP) accelerator; authenticatingthe user application to determine whether the user application haspermission to access resources of the DP accelerator; in response todetermining that the user application has permission to access theresources of the DP accelerator and in response to the user applicationinvoking a kernel object that is not residing on the DP accelerator:receiving, at a host system from the DP accelerator, an acceleratoridentifier (ID) that uniquely identifies the DP accelerator, wherein thehost system is coupled to the DP accelerator over a bus; transmittingthe accelerator ID to a predetermined trusted server over a network;receiving a certificate from the predetermined trusted server over thenetwork, the certificate certifying the DP accelerator; verifying thecertificate by verifying a certificate chain of the predeterminedtrusted server; extracting a public root key (PK_RK) from thecertificate for verification, the PK_RK corresponding to a private rootkey (SK_RK) associated with the DP accelerator; verifying a kernel ofthe kernel object by applying the PK_RK to a signature of the kernelobject resulting in an expected hash value, and comparing the expectedhash value to a hash value of the kernel; establishing a secure channelwith the DP accelerator using the PK_RK based on the verification toexchange data securely between the host system and the DP accelerator;and in response to the kernel being verified; sending the kernel to theDP accelerator for execution.
 9. The non-transitory machine-readablemedium of claim 8, wherein the DP accelerator includes one or moreexecution units operable to perform data processing operations on behalfof the user application hosted within the host system, and the userapplication is executing within a trusted execution environment (TEE).10. The non-transitory machine-readable medium of claim 9, wherein thepredetermined trusted server is associated with a provider of the userapplication.
 11. The non-transitory machine-readable medium of claim 8,wherein the predetermined trusted server is associated with a providerof the DP accelerator.
 12. The non-transitory machine-readable medium ofclaim 8, wherein the PK_RK is further utilized to verify a signaturegenerated for the DP accelerator.
 13. The non-transitorymachine-readable medium of claim 12, wherein the PK_RK is utilized bythe host system to establish a session key associated with acommunication session between the host system and the DP accelerator,and in response to the user application signaling a completion of thecommunication session between the host system and the DP accelerator,the session key associated with the communication session is destroyedand a termination message is sent to the DP accelerator.
 14. Thenon-transitory machine-readable medium of claim 13, the PK_RK isutilized by the host system to verify a signature for a publicattestation key to attest a second kernel object that is stored in theDP accelerator, wherein the public attestation key is based at leastupon a randomly generated number together with a version number of afirmware of the DP accelerator, and the session key expires in responseto a firmware of the DP accelerator being upgraded.
 15. A host system,comprising: a processor; and a memory storing instructions, which whenexecuted by the processor, cause the processor to perform operations,the operations including: receiving a request to establish a securechannel between a user application and a data processing (DP)accelerator; authenticating the user application to determine whetherthe user application has permission to access resources of the DPaccelerator; in response to determining that the user application isauthenticated and has permission to access the resources of the DPaccelerator and in response to the user application invoking a kernelobject that is not residing on the DP accelerator: receiving, at a hostsystem from the DP accelerator, an accelerator identifier (ID) thatuniquely identifies the DP accelerator, wherein the host system iscoupled to the DP accelerator over a bus, transmitting the acceleratorID to a predetermined trusted server over a network, receiving acertificate from the predetermined trusted server over the network, thecertificate certifying the DP accelerator, verifying the certificate byverifying a certificate chain of the predetermined trusted server;extracting a public root key (PK_RK) from the certificate forverification, the PK_RK corresponding to a private root key (SK_RK)associated with the DP accelerator, and verifying a kernel of the kernelobject by applying the PK_RK to a signature of the kernel objectresulting in an expected hash value, and comparing the expected hashvalue to a hash value of the kernel; establishing a secure channel withthe DP accelerator using the PK_RK based on the verification to exchangedata securely between the host system and the DP accelerator; and inresponse to the kernel being verified; sending the kernel to the DPaccelerator for execution.
 16. The system of claim 15, wherein the DPaccelerator includes one or more execution units operable to performdata processing operations on behalf of the user application hostedwithin the host system, and the user application is executing within atrusted execution environment (TEE).
 17. The system of claim 16, whereinthe predetermined trusted server is associated with a provider of theuser application.
 18. The system of claim 15, wherein the predeterminedtrusted server is associated with a provider of the DP accelerator. 19.The system of claim 15, wherein the PK_RK is further utilized to verifya signature generated for the DP accelerator.
 20. The system of claim19, wherein the PK_RK is utilized by the host system to establish asession key associated with a communication session between the hostsystem and the DP accelerator, and in response to the user applicationsignaling a completion of the communication session between the hostsystem and the DP accelerator, the session key associated with thecommunication session is destroyed and a termination message is sent tothe DP accelerator.